Filter entitlements for an application for a user

Hi Team,

I am trying to fetch list of user entitlements assigned for a application for a User. I have tried below filter options with no luck

Has anyone tried this before?

https://{{master}}:12105/identityiq/scim/v2/Users/8a46a41870f85ab40171078e23a73049?attributes=userName,urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements&filter=urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements[application eq "IBM DB2 Database Server"]

Hello @jiteshjain_scb
Welcome to the community!

The endpoint /Users/{{id}} does not support filtering.

You got it right to specify the urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements in the attributes parameter but you need to filter on the client side.

So, you may be able to get around this instead by searching on the /Accounts endpoint with a filter for the identity ID you are looking for (same one used in your call to GET /Users) and then the ID of the application you are looking at, ex:

http://{{identityiqHost}}/{{identityiqAppName}}/scim/v2/Accounts?filter=identity eq “8a8080824df45873014df45bdd9300dd” and application eq “0a0000017ba71589817e92d46c311b98”

This will return JSON of the Link object associated with the user, as well as the attributes that represent the groups assigned to the user. In this case you’d have to be familiar enough with the application itself to know which attribute indicates group/entitlement.

@yannick_beot - Thanks for highlighting that /Users/{{id}} doesn’t support filtering.

I tried below using a filter but still wasnt able to get it working

https://{{master}}:12105/identityiq/scim/v2/Users?filter=userName eq "1605124" and urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements[application eq "IBM DB2 Database Server"]&attributes=userName,urn:ietf:params:scim:schemas:sailpoint:1.0:User:accounts,urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements

@adam_creaney - Thanks your suggested workaround worked.
However, I wonder if there is a way to get a filter at /Users working. I tried below as well with no luck

https://{{master}}:12105/identityiq/scim/v2/Users?filter=userName eq "1605124" and urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements[application eq "IBM DB2 Database Server"]&attributes=userName,urn:ietf:params:scim:schemas:sailpoint:1.0:User:accounts,urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements

Hello @jiteshjain_scb
The syntax for filtering attributes (e.g. attrPath "[" valFilter "]" as described in RFC7644) is not supported by IdentityIQ.

This is still not fix in 8.3, is there a workaround as trying to return all users that have role e.g.

Search Filter
urn:ietf:params:scim:schemas1.0:User:roles[display eq “myrole”]

Data format
“urn:ietf:params:scim:schemas1.0:User”: {
“roles”: [
{
“application”: “AD”,
“accountName”: “username”,
“display”: “myrole”,
“type”: “business”,
“value”: “assignedRoles”,
“$ref”: “https://localhost/identityiq/xxxxx”,
“acquired”: “Assigned”
},

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.