Entitlement membership

niketnova · July 28, 2025, 2:40pm

Hello Experts,

Can you please help me that how to get the entitlement membership via API in PS script. I have checked that there is no direct API to get the membership.

Any alternative way. please help

Thanks

HussainshaSyed001 · July 28, 2025, 2:47pm

are you looking for this through APs or directly through ENTs?

niketnova · July 28, 2025, 2:49pm

using API where i can provide the fetched EntitlementID details/

HussainshaSyed001 · July 28, 2025, 2:54pm

correct me if am wrong please: so you are fetching ENT ids and want to provide those ids?

niketnova · July 28, 2025, 2:58pm

In my current PS, I am fetching all the entitlements, and based on that, I am obtaining the Entitlement ID.

Now, using the Entitlement ID, I am attempting to execute a search query to retrieve the Entitlement Membership details.

$searchUri = “https://$tenant.identitynow.com/api/v3/search”
write-host “searchUri is $searchUri”
$searchPayload = @{

query = @{
query = “@access(id:entitlementId)”
}
}

$result = Invoke-RestMethod -Method Post -Uri $searchUri -Headers $headers -Body ($searchPayload | ConvertTo-Json -Depth 10)

getting an error - result is @{response=; status=404; options=; message=Cannot POST /api/v3/search; name=NotFoundException}

just correct me is this correct snippet code or any alternative way to achieve this issue

rohit_wekhande · July 28, 2025, 3:04pm

Hello,

Using the SEARCH APIs is the best way to achieve it and the approach you are trying is correct one.

I think another approach which you can use to get list of all identities which has got access to that entitlement in ISC.

Something like below powershell script.

# ========== CONFIGURATION ==========
$clientId = "<Your_Client_ID>"
$clientSecret = "<Your_Client_Secret>"
$tenant = "<your-tenant>"  # e.g., yourcompany
$region = "identitynow.com"  # Use identitynow.com or appropriate region
$sourceName = "SNOW_SOURCE_NAME"
$entitlementValue = "SNOW_ROLE_NAME"
$outputCsv = "SNOW_Entitlement_Assigned_Users.csv"

# ========== AUTHENTICATION ==========
$authUrl = "https://$tenant.api.$region/oauth/token"
$body = @{
    grant_type = "client_credentials"
    client_id = $clientId
    client_secret = $clientSecret
}
$response = Invoke-RestMethod -Method Post -Uri $authUrl -Body $body
$token = $response.access_token

# ========== STEP 1: Get Entitlement ID ==========
$searchUrl = "https://$tenant.api.$region/v3/search"
$headers = @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" }

$entitlementQuery = @{
    indices = @("entitlement")
    query = @{
        query = "value:`"$entitlementValue`" AND source.name:`"$sourceName`""
    }
} | ConvertTo-Json -Depth 5

$entitlementResponse = Invoke-RestMethod -Method Post -Uri $searchUrl -Headers $headers -Body $entitlementQuery
$entitlementId = $entitlementResponse.hits[0]._source.id

if (-not $entitlementId) {
    Write-Host "Entitlement not found. Exiting..."
    exit
}

Write-Host "Found Entitlement ID: $entitlementId"

# ========== STEP 2: Get Access Records for the Entitlement ==========
$accessQuery = @{
    indices = @("access")
    query = @{
        query = "entitlement.id:`"$entitlementId`""
    }
    includeNested = $true
} | ConvertTo-Json -Depth 5

$accessResponse = Invoke-RestMethod -Method Post -Uri $searchUrl -Headers $headers -Body $accessQuery

# ========== STEP 3: Extract Identities ==========
$identityList = @()

foreach ($hit in $accessResponse.hits) {
    $identity = $hit._source.identity
    $entitlement = $hit._source.entitlement

    $identityList += [PSCustomObject]@{
        IdentityName     = $identity.name
        IdentityEmail    = $identity.email
        EntitlementValue = $entitlement.value
    }
}

# Output to console
$identityList | Format-Table -AutoSize

# Export to CSV
$identityList | Export-Csv -Path $outputCsv -NoTypeInformation
Write-Host "`nResults exported to: $outputCsv"

iamnithesh · July 28, 2025, 4:03pm

You got the Endpoint wrong here.
Use https://$tenant.api.identitynow.com/v3/search instead

niketnova · July 28, 2025, 4:09pm

yes i have approached the same but something issue in Body part and getting 400 error

niketnova · July 28, 2025, 4:09pm

yeah. i have noticed that later and changed it but no luck.

HussainshaSyed001 · July 28, 2025, 4:17pm

another way you can do is loop APs, identities and have logic in PS as
$apMatches=$ap.items | where - object {$_.entitlements -contains $entitlementId. I just written this on fly

loop it and map where entid found and get csv

rohit_wekhande · July 29, 2025, 7:45am

Use the below code.

# ========== CONFIGURATION ==========
$clientId = "<Your_Client_ID>"
$clientSecret = "<Your_Client_Secret>"
$tenant = "<your-tenant>"  # e.g., yourcompany
$region = "identitynow.com"  # Use identitynow.com or appropriate region
$sourceName = "SNOW_SOURCE_NAME"
$entitlementValue = "SNOW_ROLE_NAME"
$outputCsv = "SNOW_Entitlement_Assigned_Users.csv"

# ========== AUTHENTICATION ==========
$authUrl = "https://$tenant.api.$region/oauth/token"
$body = @{
    grant_type = "client_credentials"
    client_id = $clientId
    client_secret = $clientSecret
}
$response = Invoke-RestMethod -Method Post -Uri $authUrl -Body $body
$token = $response.access_token

# ========== STEP 1: Get Entitlement ID ==========
$searchUrl = "https://$tenant.api.$region/v3/search"
$headers = @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" }

$entitlementQuery = @{
    indices = @("entitlement")
    query = @{
        query = "name:`"$entitlementName`" AND source.name:`"$sourceName`""
    }
} | ConvertTo-Json -Depth 5

$entitlementResponse = Invoke-RestMethod -Method Post -Uri $searchUrl -Headers $headers -Body $entitlementQuery
$entitlementId = $entitlementResponse.hits[0]._source.id

if (-not $entitlementId) {
    Write-Host "Entitlement not found. Exiting..."
    exit
}

Write-Host "Found Entitlement ID: $entitlementId"

# ========== STEP 2: Get Access Records for the Entitlement ==========
$accessQuery = @{
    indices = @("access")
    query = @{
        query = "entitlement.id:`"$entitlementId`""
    }
    includeNested = $true
} | ConvertTo-Json -Depth 5

$accessResponse = Invoke-RestMethod -Method Post -Uri $searchUrl -Headers $headers -Body $accessQuery

# ========== STEP 3: Extract Identities ==========
$identityList = @()

foreach ($hit in $accessResponse.hits) {
    $identity = $hit._source.identity
    $entitlement = $hit._source.entitlement

    $identityList += [PSCustomObject]@{
        IdentityName     = $identity.name
        IdentityEmail    = $identity.email
        EntitlementValue = $entitlement.value
    }
}

# Output to console
$identityList | Format-Table -AutoSize

# Export to CSV
$identityList | Export-Csv -Path $outputCsv -NoTypeInformation
Write-Host "`nResults exported to: $outputCsv"

I have changed the 1st search query. Refer the below.

Instead of entitlement value, provide the entitlement name and see whether you are getting expected results. Also, can you please provide your updated code here.

Topic		Replies	Views
Powershell script or form so people can view members of a role/AP/Entitlement ISC Discussion and Questions workflows , apis , identity-security-cloud , entitlements	3	34	August 22, 2025
Cannot find entitlement ID ISC Discussion and Questions apis , identity-security-cloud , entitlements	6	98	March 30, 2025
ISC rest api to fetch the user's associated role/entitlement ISC Discussion and Questions identity-security-cloud , isc-questions-and-answers	3	44	May 25, 2025
Query report for all entitlements for a specific user ISC Discussion and Questions identity-security-cloud , reports , entitlements	4	442	December 7, 2024
API call or search query to retrieve the list of identities in a Role ISC Discussion and Questions	5	3812	July 19, 2023

Entitlement membership

Related topics