Get entitlements and roles information from a user

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi community,

I am relatively new for ISC, I come more from a IIQ experience. I have a requirement where I have to retrieve the entitlements and roles assigned to a user. I saw in other similar post this, but I also have to retrieve additional information like who request that entitlement/role, when was granted time stamp, if the role is requestable or no, and the risk rating of that entitlement/role.

I think the better way or best practice is to do it using the Search API. So far I got most of the information that I need using this like id, displayName, etc:

{
"indices": [“Identities”],
"query": {
"query": "id://USER_ID//"
},
"includeNested": true,
"queryResultFilter": {
"includes": [
"access"
]

}
}

My question are:

  1. how can I retrieve the other information that I mentioned like who request that entitlement/role, when was granted time stamp, etc ?
  2. how complex the body of the search API could be ? I know this might required to do multiple call to the search API with different body, but is it possible or not recommended to do it all at a single search call?

Thank you in advance :slightly_smiling_face:

2

Hi Luis,

Welcome SailPoint Community,

Approach 1:If you prefer using the search functionality with identity:

In the search bar, enter “Luis”.

Navigate to Events, select the required columns, and apply filters based on access requests.

Approach 2: Use a PowerShell script to pull records. You can customize it based on your requirements.

PowerShell Script Sample

Define API endpoint and token

$BaseUrl = “https://sailpoint.api.identitynow.com/v3/search”
$Token = “Bearer YOUR_ACCESS_TOKEN”

Build Search JSON for events related to provisioning (access requests)

$SearchBody = @"
{
“indices”: [“events”],
“query”: {
“query”: “type:PROVISIONING AND identity.name:“john.doe””
},
“includeNested”: true,
“queryResultFilter”: {
“includes”: [
“identity.name”,
“requestedBy”,
“requestedDate”,
“access.name”,
“access.type”,
“access.requestable”,
“access.riskLevel”
]
}
}
"@

Convert to JSON object

$SearchJson = $SearchBody | ConvertFrom-Json

Invoke API

try {
$Result = Invoke-RestMethod -Uri $BaseUrl -Method Post -Headers @{
“Authorization” = $Token
“Content-Type” = “application/json”
} -Body $SearchBody

# Display results
$Result.documents | ForEach-Object {
    Write-Host "Identity: $($_.identity.name)"
    Write-Host "Requested By: $($_.requestedBy)"
    Write-Host "Requested Date: $($_.requestedDate)"
    Write-Host "Access Name: $($_.access.name)"
    Write-Host "Access Type: $($_.access.type)"
    Write-Host "Risk Level: $($_.access.riskLevel)"
    Write-Host "Requestable: $($_.access.requestable)"
    Write-Host "-----------------------------------"
}

} catch {
Write-Host “Error: $($_.Exception.Message)”
}

-Mahesh

1 Like
3

@uppala Will this also retrieve the roles assigned by the automation (e.g. birthright roles, granted by some identity criteria)?

4

if you use events end point yes, it pulls all access assigned to user

1 Like
5

Hi Mahesh,

thanks for the response. I tried your suggestion but the API is returning nothing. Just an empty Array (see below)…. I search the target identity in the UI to see if it has events… and yes! the identity has like 39 events but I can’t pull those records.

any idea of why is that ?

API Request:

Screenshot 2025-11-12 at 11.24.27 AM
Screenshot 2025-11-12 at 11.24.27 AM1074Ă—304 34.7 KB

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.