How to find empty roles in ISC via API call

abhijit_shekki · April 22, 2025, 10:35am

Hi everyone,

I’m trying to find all the roles in SailPoint ISC, which doesn’t have any identities assigned, can you please let me know how to find it via an API call?

Thanks,
Abhijit

sidharth_tarlapally · April 22, 2025, 11:03am

Hello @abhijit_shekki ,

I believe we cannot directly have make one API call to get roles with no identities . What we can do is ,
use this end point to get all identities assigned to one role
{{baseUrl}}/roles/:id/assigned-identities?count=true where :id is the id of role .

This API returns all identities associated with the role , the API Response Header will contain count which is number of records returned for the API call . If the count is 0 , the number of identities assigned to the role are 0.

This way , you can find if a role is assigned to identities or not . To get all roles , you have to use script which should iterate through all roles and sort those role-assigned-identities whose count is 0

Previously there used to be cc API which used to give IdentityCount of a role , but now it is deprecated .

Hope this helps !
Thanks ,
Sid

abhijit_shekki · April 22, 2025, 11:26am

@sidharth_tarlapally - Thank you for the quick response. I’ll look into it.

David_Norris · April 22, 2025, 1:06pm

On the PowerShell SDK side, this (one line):
Invoke-Paginate -Function "Get-V2024Roles" | ForEach { if((Get-V2024RoleAssignedIdentities $_.id) -eq $null) {Write-host "$($_.name) has no member"} }

Not the most efficient way, but quick and dirty if that’s all you need.

sukanta_biswas · April 22, 2025, 2:59pm

@abhijit_shekki -

To find all roles without any identities assigned in SailPoint Identity Security Cloud (ISC / IdentityNow), you can use the Search API to:

Get all roles.
For each role, check if it has assigned identities using the access search.

Here’s a full approach with an example Postman script you can use.

Step-by-Step API Logic

Get all roles:
```
GET /v3/roles
```

For each role, run a search to check if any identities have it:

POST /v3/search
Body:
{
  "query": "access(role.id:<ROLE_ID>)",
  "indices": ["identities"]
}

If the response has count = 0, then no identity is assigned to that role.

Postman Script (Pre-request + Tests tab logic)

You can set this up in Postman as follows:

Step 1: Create a collection-level environment with variables

Create applicable Sailpoint ISC environment variables along with some custom variables for this purpose in Postman:

access_token → Your bearer token (set manually or use OAuth 2.0 flow)
base_url → https://<tenant>.api.identitynow.com
unassignedRoles → (leave empty, script will populate)
rolesToCheck → Will be set by pre-request script
currentIndex → Start with 0

Request: Get All Roles

Method: GET
URL: {{base_url}}/v3/roles

Authorization: Bearer Token → {{access_token}}

Tests Tab:

const roles = pm.response.json();
let idsToCheck = [];

roles.forEach(role => {
    idsToCheck.push({ id: role.id, name: role.name });
});

pm.environment.set("rolesToCheck", JSON.stringify(idsToCheck));
pm.environment.set("unassignedRoles", JSON.stringify([]));
pm.environment.set("currentIndex", "0");

console.log("Roles loaded:", idsToCheck.length);

Request: Check if Role is Assigned to Any Identity

Method: POST
URL: {{base_url}}/v3/search

Body (raw → JSON):

{
  "query": "access(role.id:{{roleId}})",
  "indices": ["identities"]
}

Pre-request Script:

let roles = JSON.parse(pm.environment.get("rolesToCheck") || "[]");
let index = parseInt(pm.environment.get("currentIndex") || "0");

if (index >= roles.length) {
    postman.setNextRequest(null); // End loop
} else {
    let currentRole = roles[index];
    pm.environment.set("roleId", currentRole.id);
    pm.environment.set("currentRoleName", currentRole.name);
}

Tests Tab:

let count = pm.response.json().count || 0;
let index = parseInt(pm.environment.get("currentIndex"));
let roles = JSON.parse(pm.environment.get("rolesToCheck"));
let unassigned = JSON.parse(pm.environment.get("unassignedRoles"));

if (count === 0) {
    unassigned.push({
        id: roles[index].id,
        name: roles[index].name
    });
    pm.environment.set("unassignedRoles", JSON.stringify(unassigned));
    console.log("No identity found for role:", roles[index].name);
}

index += 1;
pm.environment.set("currentIndex", index.toString());

if (index < roles.length) {
    postman.setNextRequest("Check if Role is Assigned to Any Identity");
} else {
    console.log("Completed. Unassigned Roles:");
    console.log(unassigned);
    postman.setNextRequest(null);
}

Final Step

After this looping script completes, check the unassignedRoles environment variable for all unassigned roles.

You can extract it via:

console.log(JSON.parse(pm.environment.get("unassignedRoles")));

Or copy/export it from the environment variables tab.

Cheers!!!

abhijit_shekki · May 9, 2025, 4:27am

Thank you for the response. Its working for me.

system · July 8, 2025, 4:27am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
To get list of Identities ISC Discussion and Questions identity-security-cloud	4	495	July 19, 2023
Search Query for Roles with zero identities and particular entitlement ISC Discussion and Questions identity-security-cloud , search	4	216	July 30, 2024
Identities list from specific role ISC Discussion and Questions identity-security-cloud	3	122	November 25, 2024
API call or search query to retrieve the list of identities in a Role ISC Discussion and Questions	5	3813	July 19, 2023
GET /api/role/list Non-Public API Deprecations deprecated	5	441	March 21, 2024