Entitlement search query

nikhleshsdg · November 20, 2024, 7:30pm

Hi all,

Is there any OOTB or custom solution to search the AD entitlements in ISC using attributes like Group type or group scope?

Thanks,
Nikhlesh

sk8er23 · November 20, 2024, 9:04pm

Hi Nikhlesh,
I have had a look at 2024 and beta api’s for entitlements and unfortunately have not been able to find a way to reference GroupType or GroupScope
Tony

However if you use the entitlements API to search for AD entitlements GroupType and GroupScope is returned in the json response.

nikhleshsdg · November 21, 2024, 4:55am

Yes using entitlements it will give all the entitlements in an source but we want search entitlements in an source based on group type or group scope.

shekhardas1825 · November 21, 2024, 5:49am

Hi @nikhleshsdg,

You can build your search query, like below:

attribute:memberof AND value:"*OU=abc1,OU=Groups,OU=AD_XYZ,DC=xyz,DC=com*"

You can update the value as you need, to scope your search to find the required entitlements.

Hope! this will help.

nikhleshsdg · November 21, 2024, 7:42am

HI @shekhardas1825,

I need a query or any other way using API might be to search entitlements like “groupType:Security”, so that it will give all the security groups in AD.

Thanks.

sk8er23 · November 21, 2024, 8:38am

Looking at the available api’s it doesn’t look like this is currently supported, Entitlement filters are restricted to the following in V3/Beta and 2024

Filtering is supported for the following fields and operators:

id: eq, in
name: eq, in, sw
type: eq, in
attribute: eq, in
value: eq, in, sw
source.id: eq, in
requestable: eq
created: gt, lt, ge, le
modified: gt, lt, ge, le
owner.id: eq, in
Example: attribute eq “memberOf”

Would be great to add attributes to this so you could do attributes.GroupType eq “Security”, perhaps an enhancement request?

nikhleshsdg · November 21, 2024, 8:42am

Yes, Filter we require is not available here. So, check if anything can be done.

We will see if any idea needs to be added for this, as it will be a time taking task even if SailPoint agrees to add this.

Thanks.

sk8er23 · November 21, 2024, 8:45am

Are you only looking to search and extract the data?

nikhleshsdg · November 21, 2024, 8:49am

Yes, and later if possible, I will access it through API call.

sk8er23 · November 21, 2024, 8:51am

In that case - could you script the API call using powershelgl or similar, get the json response and filter the data based on your requirement like groupType eq “Security”?

nikhleshsdg · November 21, 2024, 8:54am

We are doing this currently, but it is not that efficient if we need this information multiple times as entitlement count could be anything.

VijayMaripi · November 21, 2024, 4:08pm

Hi @nikhleshsdg ,

Currently we cannot even search group type using inner hit using search api.

Once custom solution can be using tags, tag all the specific group type entitlements under one tag and segregate them. Initial effort would be more and later on whenever new entitlement is added we need maintain the tag base.

system · January 20, 2025, 4:09pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.