Filter users by entitlement - SCIM API

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi, is it possible to filter users by entitlement? I’d like to get an entitlement’s membership.

Here is the filter I tried:

http://localhost:8080/identityiq/scim/v2/Users?filter=urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements.display eq "GROUP_A"

but I’m getting the following error :

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:Error"
    ],
    "scimType": "invalidFilter",
    "detail": "Invalid filter, attribute does not support search: urn:ietf:params:scim:schemas:sailpoint:1.0:User:entitlements.display",
    "status": "400"
}

Is there a different endpoint/filter that would let me filter by entitlement’s name or display?

Thanks

2

Did you ever figure out an alternate solution for this?

3

Hi Rachael

I ended up creating a custom endpoint to get the desired data. I used the following filter.

ManagedAttribute ent = context.getObjectById(ManagedAttribute.class, id);

Filter filterEntitlement = Filter.and(Filter.and(Filter.eq("application.name", "YOUR_APP"),
										Filter.eq("name", "memberOf"), 
										Filter.eq("aggregationState", AggregationState.Connected),
										Filter.eq("value", ent.getValue())));

			Filter filter = Filter.collectionCondition("identityEntitlements", filterEntitlement);
			QueryOptions qo = new QueryOptions();
			qo.addFilter(filter);

			List<Identity> ids = context.getObjects(Identity.class, qo);
1 Like