Hello Team,
Is there any way we could extract all the roles that do not have approval process configured in IDN? For example, I would like to extract all the roles that start with “ABC” and do not have an approval process configured.
Hi @mwh1424
Try this query :
name:ABC* AND NOT _exists_:approvalProcess
Hello Sidharth, the query returns all the roles that start with ABC but does not filter the non approval roles.
hi try this
name:All* AND NOT exists:approvalSchemes
Hello Syed,
The results are same as before. I am getting all the roles starting with ABC but, they are not being filtered based on approval process
Hussain …
No Luck .
Through Search , [FAQs and Sample Data Models - SailPoint Identity Services](https://Search Role Model Data) do not have an object which gives approvers information .
{
"id":"2c918086749d78830174a1a40e121518",
"name":"Role 2567",
"created":"2021-03-01T22:32:58.104Z",
"modified":"2021-03-02T20:22:28.104Z",
"description":"Role description.",
"enabled":true,
"requestable":true,
"dimensional":true,
"owner":{
"id":"2c9180a46faaabce45016fb4e018c20639",
"type":"IDENTITY",
"name":"Thomas Bravo"
},
"entitlements":[
{
"id":"2c91809773de45201abc3e122092014e",
"name":"engineering",
"description":"Engineering group",
"hash":"2c91809773dee32014e45e1220920561",
"attribute":"department",
"value":"engineering",
"sourceSchemaObjectType":"",
"privileged":"true",
"hasPermissions":"false"
}
],
"accessProfiles":[
{
"id":"ff80808abc1e6e145f1518161919ecca",
"name":"Sales access"
}
],
"requestCommentsRequired":true,
"accessProfileCount":1,
"entitlementCount":1,
"segmentCount":2,
"dimensionCount":1,
"dimensions":[
{
"id":"666ef506453311eeabc10242ac120002",
"name":"Texas Sales access",
"description":"Provide sales access to Texas only.",
"entitlements":[
{
"id":"2c91809773dee345abc13e122092014e",
"name":"engineering",
"description":"Engineering group",
"hash":"2c458abc73dee32014e13e1220920561",
"attribute":"department",
"value":"engineering",
"sourceSchemaObjectType":"",
"privileged":"true",
"hasPermissions":"false"
}
],
"accessProfiles":[
{
"id":"ff808081751e6e459f1abc161919ecca",
"name":"Sales access"
}
]
}
],
"dimensionSchemaAttributeCount":1,
"dimensionSchemaAttributes":[
{
"name":"identity_attribute_1",
"displayName":"Identity attribute 1",
"derived":false
}
],
"tags":[
"tag-name-1"
],
"segments":[
{
"id":"segment-2",
"name":"segment-2"
},
{
"id":"segment-1",
"name":"segment-1"
}
],
"accessModelMetadata":[
{
"key":"regulatory1",
"name":"Regulatory1",
"type":"custom",
"description":"Regulations associated with this access",
"value":"gxp1",
"valueName":"GxP1"
}
]
}
Through API , we cannot filter approver based attributes : 
You can write a PowerShell script to get these roles
Thanks
Sid
Thank you for the insights Sid!
Sample workflow to get all the profile requestable and no approver set
{
"version": 1,
"self": {
"type": "WORKFLOW",
"name": "Vishal - Access Profiles without approver"
},
"object": {
"name": "Vishal - Access Profiles without approver",
"description": "This workflow \"Vishal - Access Profiles without approver\" is used to inform (email) about the Access Profiles that are set as requestable and no approver/reviewer is configured.",
"modifiedBy": {
"type": "IDENTITY",
"name": "vishal"
},
"definition": {
"start": "Define Variable 3",
"steps": {
"Define Variable 11": {
"actionId": "sp:define-variable",
"attributes": {
"id": "sp:define-variable",
"variables": [
{
"description": "",
"name": "errorMessage",
"transforms": [],
"variableA.$": "$.hTTPRequest1.error.workflowErrorMessage"
},
{
"description": "",
"name": "step",
"transforms": [],
"variableA": "Error - Get LCE Disabled Identities"
}
]
},
"displayName": "Log Error",
"nextStep": "End Step - Failure",
"type": "Mutation"
},
"Define Variable 3": {
"actionId": "sp:define-variable",
"attributes": {
"id": "sp:define-variable",
"variables": [
{
"description": "",
"name": "baseUrl",
"transforms": [],
"variableA": "vkejriwal-sb.api.saas.sailpoint.com"
},
{
"description": "",
"name": "clientId",
"transforms": [],
"variableA": "XXXXXX"
},
{
"description": "",
"name": "emailDL",
"transforms": [],
"variableA": "emailDL@test.vishal.com"
},
{
"description": "",
"name": "PRODUCT_NAME",
"transforms": [],
"variableA": "ISC"
}
]
},
"displayName": "Set environment parameters",
"nextStep": "HTTP Request 1",
"type": "Mutation"
},
"End Step - Failure": {
"actionId": "sp:operator-failure",
"description": null,
"displayName": "",
"failureDetails": "",
"failureName": "Error modifying campaign",
"type": "failure"
},
"HTTP Request 1": {
"actionId": "sp:http",
"attributes": {
"authenticationType": "OAuth",
"method": "get",
"oAuthClientId.$": "$.defineVariable3.clientId",
"oAuthClientSecret": null,
"oAuthCredentialLocation": "oAuthInHeader",
"oAuthScope": null,
"oAuthTokenUrl": "https://{{$.defineVariable3.baseUrl}}/oauth/token",
"url": "https://{{$.defineVariable3.baseUrl}}/v2025/access-profiles?filters=requestable%20eq%20true&sorters=-modified"
},
"catch": [
{
"next": "Define Variable 11"
}
],
"displayName": "Get Access Profiles",
"nextStep": "Verify Data Type",
"type": "action",
"versionNumber": 2
},
"Send Email": {
"actionId": "sp:send-email",
"attributes": {
"body": "<table>\n<tbody>\n<tr>\n<td>\n<p><img style=\"padding: 0px; text-align: center; height: auto; width: 100%; border: 0px;\" src=\"https://slack-imgs.com/?url=https%3A%2F%2Fimage.mail.vishal.com%2Flib%2Ffe3011717264047f731678%2Fm%2F1%2F30975455-e231-4849-9a48-bd83c65c1b02.jpeg\" alt=\"IdentityNow\" width=\"1200\"></p>\n</td>\n</tr>\n<tr>\n<td>\n<p>Hello,</p>\n<p>The following Access Profiles were detected for being marked as requestable and not having a reviewer.</p>\n#if($accessProfilesNames)\n<div><strong>Access Profiles:</strong></div>\n<ul>#if($accessProfilesNames.class.name == \"java.util.ArrayList\")#foreach ($accessProfileName in $accessProfilesNames)\n<li>$accessProfileName</li>\n#end\n#else\n\n<li>$accessProfilesNames</li>\n#end </ul>\n#end\n</td>\n</tr>\n<tr>\n<td>\n<p><strong>Have questions or need support?</strong></p>\n<ul>\n<li>Visit <a href=\"https://app.slack.com/client/test/test\">#ask-ISE(Update Link)</a> for ISE support</li>\n</ul>\n<p> </p>\n<p>Thanks,<br>The ${PRODUCT_NAME} Team</p>\n</td>\n</tr>\n</tbody>\n</table>",
"context": {
"PRODUCT_NAME.$": "$.defineVariable3.PRODUCT_NAME",
"accessProfilesNames.$": "$.hTTPRequest1.body[?(@.accessRequestConfig.approvalSchemes.length() == 0)].name"
},
"from.$": "",
"recipientEmailList.$": "$.defineVariable3.emailDL",
"subject": "Access Profiles without reviewer"
},
"displayName": "",
"nextStep": "Standing Access Revoked",
"type": "action",
"versionNumber": 2
},
"Standing Access Revoked": {
"actionId": "sp:operator-success",
"description": "Leaver standing access removed",
"displayName": "End Step - Success",
"type": "success"
},
"Verify Data Type": {
"actionId": "sp:compare-unary",
"choiceList": [
{
"comparator": "IsPresent",
"nextStep": "Send Email",
"variableA.$": "$.hTTPRequest1.body[?(@.accessRequestConfig.approvalSchemes.length() == 0)]"
}
],
"defaultStep": "Standing Access Revoked",
"description": null,
"displayName": "",
"type": "choice"
}
}
},
"enabled": true,
"creator": {
"type": "IDENTITY",
"name": "vishal"
},
"owner": {
"type": "IDENTITY",
"name": "igaAdmin"
},
"trigger": {
"type": "SCHEDULED",
"attributes": {
"cronString": "0 0 * * *",
"dailyTimes": [
"1969-12-31T06:00:00Z"
],
"frequency": "daily",
"id": "idn:cron-schedule",
"timeZone": "America/Chicago"
}
}
}
}
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.