Entitlement Ownership : Search and Updates

Couple of questions of entitlements in IDN -
a) As per search documentation Searchable Fields - SailPoint Identity Services for entitlements , it seems that owner is not a primary searchable field , but when we just put “owner” word in search box it does prompt for id, name, type etc. When I try building a query say using owner.name:“”, so it doesn’t return anything. So wanted to understand if this is in-flight or a bug or i am doing anything wrong here.

b) Is there a quick way of updating entitlement ownership rather than going to each entitlement and manually updating values there. I couldn’t see any csv option or Api option for this.

1 Like

Hi @aditya_pathak

I looked into this, and yes you can search with owner.name:, but what I noticed was on the search UI, Entitlement Owner isn’t shown selectable as a column. Usually what I’ve seen is that if the fields are searchable, they show up here (I could be wrong here!).

I tried setting a new owner for an entitlement, and what I got back in the UI was this line:

I didn’t see the owner show up in the Access > Entitlements UI either in the column, but it did show up in the details pane from the source, and when you go into the edit UI.

I tried to check what response we get when IDN makes the API call to update the owner when it saves it from the UI, and what I saw is a structure like this:

I don’t see anything wrong with your query, as it is not nested or anything. owner.name, owner.id and owner.type should work. Just one thing to note is that the name isn’t the UID of the user, but looks like the display name.

I’m not aware of a way to bulk update owners at the entitlement level… but if you wanted to do it at an access profile level, the ruby based utility can help.

Thanks @sushant1 . However, doesn’t work for me with display name, username etc.

Unless there is a full text refresh equivalent task which needs to be triggered here(not sure if there’s anything like that in IDN).

Try with exact keyword on the search and see if it works

The use of exact keyword just makes the search case sensitive, so it was not relevant here. I was on the right track earlier; the issue was with entitlement aggregation taking a long time in my environment. When I checked today owner.name:“” works.

Hello! We are not able to search on the Entitlement Owner either - which we need, and yes used owner.name:“first last name” and owner.name:first last name

We did a fix recently - where we updated Entitlement Owners (since we use ManagedBy from AD for ownership vs. the owner attribute).

We noticed that this is showing correctly in our AD Source, but under the Entitlement Tab - I think there is a bug - because the entitlement owner does not show up - until you drill into the entitlement from this tab.

Screenshot from our SB.

G’day @MBowen did you try an entitlement agg after updating owners?

For me both entitlement tab and search work ok -

Yes several times :slight_smile:

@MBowen did you got any solution for this ?
am also seeing same issue.

The solution we thought we had - did not work. We had to manually set the owner name via the UI. However, we are still digging to see what we can do to fix this.

@rg111 @MBowen - did you guys by chance use csv upload feature for entitlement? if yes, maybe create another duplicate source and try with that, and if working remove the old one.


  • Captures the entitlements for Active Directory, looks at managedBy, then does a look up against IDN and captures the unique ID for the “owner” and sets it as such.

We tested over the weekend to see if it truly worked or not, and it does not look to.

CSV Upload Feature does not provide for Owner name when you pull it down. I will create a dupe source and test and see if it’s changed, but if it has - you would think existing sources would pull that down and allow for updates that way and then uploads (source → Active Directory → entitlements)

Confirmed - current csv download does not bring down the owner. Would be AWESOME if it did. (Submitting Idea).

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.