Exclude Role-Based Entitlements

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.3

Share all details about your problem, including any error messages you may have received.

  • I want to retrieve a list of entitlements that are directly assigned to users from target sources, and exclude any entitlements assigned via roles (Business Roles or IT Roles). This is needed for review or analysis purposes — without launching a certification.

Can you please confirm:

  • What is the best way to search or filter identities to display only direct entitlements?
  • Is there a way to do this via the Identity Cube view, debug pages, Identity Search, or BeanShell script?
  • Can I use something like entitlementAssignment == "Direct" in a report or rule to filter?
2

Hi @santhirajumunganda ,

To view entitlements not granted by roles, open the identity from the Identity Warehouse and navigate to the Entitlement tab. Then, enable the “Show only additional entitlements” option. This will filter the list to display only the entitlements that have been directly assigned to the identity, excluding those inherited from roles.

image
image1311×148 12.3 KB

3

@Arun-Kumar looks like he wants to retrieve a list of entitlements without having to manually open each identity. Seems like he’s looking for a logic or approach to programmatically pull the list of entitlements, ideally with a way to filter them.

1 Like
4

Thank you for your response. This is really useful for checking individual identities. However, could you please advise how we can perform this check for all identities at once?

5

Hi @santhirajumunganda

please be careful following the approach mentioned above:
Filtering for “Show only additional entitlements” will filter for so called “exceptions”, so these are entitlements neither assigned via role nor directly.

In case a database query is an option for you, please inspect the table SPT_IDENTITY_ENTITLEMENT.
This table holds the information you are looking for.

The query should look somehow like the example below (please check for your needs):

select *
from spt_identity_entitlement
where assigned = 1
and granted_by_role = 0
and native_identity = '<Native_Identity_name>'
and assignment_id is not null
and source = 'LCM'
;

Otherwise you may be able to achieve the goal via the OOTB “Identity Entitlements Detail Report” - maybe this needs a bit customization.

Best regards,
Daniel

1 Like