We have a created an entitlement extended attribute “isSharedMailbox” which is getting set during group aggregation. Further we ant to create user population who has entitlements where this attribute is set. How can we do this?
Hi Akshay,
Welcome to our Developer Community 
To create a population based on an attribute, the attribute must be searchable:
To create the population, go to Advanced Analytics, set a value for the Searchable attribute isSharedMailbox and run the Search.
On the result page: ‘Save Identities as Population’
I hope this helps
– Remold
PS See this link for more information about extended attributes
Please find below sample groupFilter xml which I tested in my local environment. This filter is looking for all identities having an entitlement in Prism application which is having entitlement extended attribute extGeography and having value as Global.
<GroupFilter>
<CompositeFilter operation="AND">
<Filter operation="EQ" property="identityEntitlements.name" value="groups"/>
<Filter ignoreCase="true" operation="EQ" property="identityEntitlements.application.id" value="c0a800697d9e181c817d9f01ea3a0331"/>
<Filter ignoreCase="true" operation="EQ" property="links.application.id" value="c0a800697d9e181c817d9f01ea3a0331"/>
<Filter operation="IN" property="identityEntitlements.value" subqueryClass="sailpoint.object.ManagedAttribute" subqueryProperty="value">
<SubqueryFilter>
<Filter operation="EQ" property="extGeography" value="Global"/>
</SubqueryFilter>
</Filter>
</CompositeFilter>
</GroupFilter>
Replace the value=“groups” with corresponding entitlement attribute name in following line.
<Filter operation="EQ" property="identityEntitlements.name" value="groups"/>
Replace the application id values in following lines.
<Filter ignoreCase="true" operation="EQ" property="identityEntitlements.application.id" value="c0a800697d9e181c817d9f01ea3a0331"/>
<Filter ignoreCase="true" operation="EQ" property="links.application.id" value="c0a800697d9e181c817d9f01ea3a0331"/>
And also replace this property and value in this line with attribute name and value. And in this case, it will be isSharedMailbox and True.
<Filter operation="EQ" property="extGeography" value="Global"/>
Please make sure to test in local environment properly before trying this in Production environment.
2 Likes
Thanks Remold.
In our case the we want to search on Entitlement extended attribute ant based on identity attribute.
Thanks Jarin for quick response. This works perfectly.
2 Likes
I’m fascinated that this query only joins on spt_identity_entitlement once.
It is only performing sub query on spt_identity_entitlement, something like below example:
select * from identityiq.spt_identity_entitlement where value in (select value from identityiq.spt_managed_attribute where extended1 ='Global');
@Jarin_James is our filter guru
From this moment I stop responding to filter/report questions 
1 Like
@Remold , It was just a lucky guess 
2 Likes
FYI, you can use my Query Plugin to translate back and forth between filter strings, HQL, and SQL. It’s an easy way to see what your Filter is actually doing on the back-end, with the caveat that filters don’t always actually run a query.
Here’s how your Filter translates, which surprised me!
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.