Filter entitlements for an application for a user

jiteshjain_scb · January 25, 2022, 1:22pm

Hi Team,

I am trying to fetch list of user entitlements assigned for a application for a User. I have tried below filter options with no luck

Has anyone tried this before?

https://{{master}}:12105/identityiq/scim/v2/Users/8a46a41870f85ab40171078e23a73049?attributes=userName,urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements&filter=urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements[application eq "IBM DB2 Database Server"]

yannick_beot · January 26, 2022, 10:50am

Hello @jiteshjain_scb
Welcome to the community!

The endpoint /Users/{{id}} does not support filtering.

You got it right to specify the urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements in the attributes parameter but you need to filter on the client side.

adam_creaney · January 26, 2022, 8:02pm

So, you may be able to get around this instead by searching on the /Accounts endpoint with a filter for the identity ID you are looking for (same one used in your call to GET /Users) and then the ID of the application you are looking at, ex:

http://{{identityiqHost}}/{{identityiqAppName}}/scim/v2/Accounts?filter=identity eq “8a8080824df45873014df45bdd9300dd” and application eq “0a0000017ba71589817e92d46c311b98”

This will return JSON of the Link object associated with the user, as well as the attributes that represent the groups assigned to the user. In this case you’d have to be familiar enough with the application itself to know which attribute indicates group/entitlement.

jiteshjain_scb · January 27, 2022, 3:10am

@yannick_beot - Thanks for highlighting that /Users/{{id}} doesn’t support filtering.

I tried below using a filter but still wasnt able to get it working

https://{{master}}:12105/identityiq/scim/v2/Users?filter=userName eq "1605124" and urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements[application eq "IBM DB2 Database Server"]&attributes=userName,urn:ietf:params:scim:schemas:sailpoint:1.0:User:accounts,urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements

jiteshjain_scb · January 27, 2022, 3:12am

@adam_creaney - Thanks your suggested workaround worked.
However, I wonder if there is a way to get a filter at /Users working. I tried below as well with no luck

https://{{master}}:12105/identityiq/scim/v2/Users?filter=userName eq "1605124" and urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements[application eq "IBM DB2 Database Server"]&attributes=userName,urn:ietf:params:scim:schemas:sailpoint:1.0:User:accounts,urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements

yannick_beot · January 27, 2022, 8:11am

Hello @jiteshjain_scb
The syntax for filtering attributes (e.g. attrPath "[" valFilter "]" as described in RFC7644) is not supported by IdentityIQ.

dragolo3 · June 21, 2023, 4:04pm

This is still not fix in 8.3, is there a workaround as trying to return all users that have role e.g.

Search Filter
urn:ietf:params:scim:schemas1.0:User:roles[display eq “myrole”]

Data format
“urn:ietf:params:scim:schemas1.0:User”: {
“roles”: [
{
“application”: “AD”,
“accountName”: “username”,
“display”: “myrole”,
“type”: “business”,
“value”: “assignedRoles”,
“$ref”: “https://localhost/identityiq/xxxxx”,
“acquired”: “Assigned”
},

system · August 20, 2023, 4:05pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.