Hello,
As per the documentation, we had a PAT(of an org admin user) with the idn:entitlement:manage scope set up for entitlement aggregation for a connected source. But we are hitting internal 500 error.
When the API is run with a scope all PAT (same user) it returns 202.
Could anyone advise what we should be looking into?
Hi @sreeram
There seems to be an error in the documentation. The permission idn:sources:manage works as expected.
Thank you
what is the content-type for this in your call? make sure it is : multipart/form-data
scopes: idn:entitlement:manage should work as well as the higher level permissions idn:sources:manage
Hi @lampard08,
Its a connected source, the call should work without the Content-Type header. The header is only required for disconnected sources.
The call fails if its just the idn:entitlement:manage and idn:sources:manage in scope.
The call went thru with the following scope
idn:sources:manageidn:sources:readidn:entitlement:manageI am surprised to see why idn:sources:read would be needed when idn:sources:manage is defined. @colin_mckibben Could you please confirm?
interesting indeed. Can you try using Beta APIs Entitlement Aggregation : import-entitlements | SailPoint Developer Community without idn:sources:read.
I know its deprecated in v2025 but just curious how this responds.
I was hoping to see 401 or 403 if the scope is not matching but 500 is unexpected i think.
Now the calls going thru with
idn:sources:manageidn:entitlement:manageNow, unsure why a few hours back the scope needed idn:sources:read and now its not required.
You mean the beta worked without source:read but v2005 did not?
No its working across both.
Interesting. someone from support must be following your post 
I posted a bug report after posting it here, but I did not see any activity on it tho.
I have the same issue.Do you resolve this problem?
Hello @TOPTYU ,
Yes, the following scope worked for me
Idn:sources:manage
I would suggest you added the following as well
idn:entitlement:manage