is it possible to get all the roles that meets a certain identities criteria. i want to get the list of roles (via isc api call) that identity processing would ideally identify the role and provisions the assignments.
Hi Nikesh.
It sounds like you are looking for a way to review which roles an identity would qualify for, if the identity were processed. This isnât a simple API call. You will need to pull down all of the roles and evaluate them locally compared to the identityâs current attributes. Then you could output a list of any roles that match. The biggest challenge is the potential complexity of role criteria.
I wish I could give you a quick API request to meet your needs, but this will take some local development and testing, and itâs not a use case Iâve worked on, so I donât have any code to share.
Matt
Hey Nikesh,
@MattUribe is right. Thereâs no âgiven identity X, return all roles whose criteria theyâd satisfyâ preview API. ISC doesnât expose the role criteria evaluator as a standalone endpoint. If you want what identity processing actually assigned, read the processed result.
For one identity: GET /v2025/identities/{identityId}/role-assignments
Pass only the identity ID and you get role assignment references, not the full objects. For assigner, source, timestamps, etc., read each one by assignment ID:
GET /v2025/identities/{identityId}/role-assignments/{assignmentId}
Docs: List role assignments, Role assignment details.
For many identities: Hit Search against the identities index and pull roles out of innerHit:
POST /v2025/search?limit=250
Content-Type: application/json
{
"indices": ["identities"],
"queryType": "SAILPOINT",
"query": {
"query": "id:ef38f94347e94562b5bb8424a56397d8"
},
"innerHit": {
"type": "access",
"query": "@access.type:ROLE"
},
"queryResultFilter": {
"includes": [
"id",
"name",
"displayName",
"access.id",
"access.name",
"access.type"
]
}
}
For bulk export, query *, page with searchAfter, and map identity IDs to the role inner hits. Criteria-based grants are included because youâre reading effective access from the identity index. Sukanta covered the scalable pattern here: Using /v3/roles endpoint to query criteria covered identity assignments.
If you actually need a âwould qualifyâ preview: No API for it. You would pull the roles with their assignment criteria, pull the identityâs current attributes/accounts/entitlements, and evaluate the criteria tree yourself. Only worth doing for a dry-run or planning use case. For what ISC actually assigned, process the identity and read the role assignments.
The approach that @punna0001 describes could work - If Iâm understanding correctly:
- pull the roles and break down the criteria
- use the criteria from each role to perform a search:
<roleCriteria> AND attributes.uid:<identityâs uid> - Repeat #2 for each role and return the results
Something else that may be useful - I just remembered that there is a community tool provided by @ethompson during Developer Days 2024 that previews role changes using a PowerShell script. You can find the post here:
Hopefully that helps.
Matt
GET /v2025/identities/{identityId}/role-assignments could also technically work. it looks like once the identity processing is complete, get role assignments does return all the âidentifiedâ roles that user meets the criteria for. even if the entitlements within the role might have not been assigned on the source level. @MattUribe @punna0001
Thanks
Yes, once the identity processing is complete. I thought you were looking for a way to determine what roles would apply if processing were completed - like a preview. /v2025/identities/:identityId/role-assignments is definitely not a preview.