How to get custom report in UAR for campaign filters that are built using API from backend

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,

We have been recently moved to Sailpoint IDN where we have limited license (we do not have license for service account identity module). we have one scenario to exclude inactive service accounts. We achieved this via sailpoint API from back end by configuring AND condition to filter for privileged permissions. But the issue is when we download composition report the exclusion condition is not reflecting whereas when we remove that custom filter from back end and create a new filter in UI using OR condition we were able to fetch all OR conditions in composition report(but we were not able to filter inactive service accounts when we create OR filter in UI).

Is there any way can we include AND condtion filters in the composition report or can we make a custom report . Below is an example.

Old report with OR condition

image
image1560×200 21.7 KB

New report with AND condition

image
image1556×199 14.2 KB

Kindly suggest

2

Hey Preethi, I looked into this & here is what I found.

Your API-created COMPOSITE / AND filter is most likely being applied correctly that matches what you are seeing: inactive service accounts are excluded from the campaign. The gap is only in the report output.

The UI campaign filter builder is OR-based, and the Campaign Composition Report only exposes summary fields like Campaign Filter Name, Filter Type, Search Terms, and Filter Description. It doesn’t print the full backend criteriaList / COMPOSITE structure. So I don’t see a supported native way to force the standard report to show API-created AND logic. This looks like a report rendering limitation, not a filter execution issue.

On your second question about a custom report: yes, but not inside ISC natively. You would need to build it externally using the APIs. Colin from SailPoint pointed to this same pattern: call the needed APIs, transform the output, generate your own CSV. He did a full walkthrough at Developer Days 2023 with code on GitHub.

Three options to try:

1. Keep the API filter, document it separately: Pull the filter JSON and attach it alongside the composition report as your audit record:

GET /v2025/campaign-filters/{filterId}

The criteriaList in that response is the source of truth for the AND condition configured.

2. Build a custom report externally via API : Trigger the report, pull the output, stitch it with the filter definition in your own CSV:

POST /v2025/campaigns/{campaignId}/run-report/CAMPAIGN_COMPOSITION_REPORT
GET /v2025/campaigns/{campaignId}/reports

Ref: Get Campaign Reports | Run Campaign Report

3. Rebuild as a Search-based campaign: For Search-created campaigns, the composition report has a dedicated Search Terms column that shows the query. If audit needs the filter logic visible in the standard report itself and your exclusion logic can be expressed as a search query, this is the cleanest path.

Short answer to both your questions: no, the standard composition report won’t show API-created AND/COMPOSITE logic natively. Yes, you can make a custom report, but it has to be external using the campaign APIs.

3

Hi,

Interesting scenario.

From what you described, it looks like the composition report is not picking up the backend API filter logic the same way as the UI-defined filters. I’ve also seen cases where custom filters applied via API don’t fully reflect in standard reports, especially when using AND conditions.

The fact that OR conditions work in the UI but AND conditions don’t behave the same way suggests there might be a limitation in how the composition report processes filter logic.

For your use case (excluding inactive service accounts + privileged access), a custom report or alternative approach might be more reliable, especially if you need more control over complex conditions.

Just to check — are you using any identity attributes (like account status or type) that could be leveraged in a simpler filter, or is everything dependent on entitlement logic?

Thanks!

4

Hi Harish,

Thanks for the Explanation.

I tried to fetch custom report via postman.

I am getting 404 error in POST method

GET method is success but not sure how do we download that report.

Any idea on this.

Thanks

5

Hi,

We are not using Identity attribute as we Service accounts are not configured as Identity cube.

Instead, we achieve this UAR via uncorrelated item where we filter Application account attribute and permissions.

Thanks

6

Hello Preethi,

On the 404 with POST: The most common cause is using the wrong ID in the URL. The endpoint should be:

POST /v2025/campaigns/{campaignId}/run-report/CAMPAIGN_COMPOSITION_REPORT

Make sure the ID you are passing is the campaign ID, not a template ID. Also worth confirming the report type string is exactly CAMPAIGN_COMPOSITION_REPORT, including casing. A successful call should return 202 Accepted and just queues the generation. No file comes back immediately.

On downloading from the GET: The GET returning metadata is actually expected behavior. The full flow should be:

Step 1: Trigger the report

POST /v2025/campaigns/{campaignId}/run-report/CAMPAIGN_COMPOSITION_REPORT

Step 2: Get the report metadata and grab the taskResultId

GET /v2025/campaigns/{campaignId}/reports

Step 3: Download the file using that taskResultId

GET /v2025/reports/{taskResultId}

This should return the report as a CSV by default. Just give it a little time after the POST before hitting the download, as the report needs to finish generating in the background first.

Ref: Run Campaign Report | Get Campaign Reports | Get Report File

7

Hi Harish,

Thanks! I am not getting error in dev environment but When I hit the same in prod, getting below error in postman

POST https://undefined.api.identitynow.com/oauth/token

TypeError: Cannot read properties of undefined (reading ‘json’)

I tried checking the pre-req, post-req but still error throws.

8

I took a look at the error & I think I know what might be happening here.

The request URL showing as https://undefined.api.identitynow.com/oauth/token is usually a sign that the tenant variable in your Postman environment is not set for prod. It is resolving as undefined instead of your actual tenant name.

A few things worth checking in Postman:

  • Make sure you have the prod environment selected in the top right environment dropdown, not dev

  • Open that prod environment and check if the tenant or base URL variable is actually populated

  • The URL should look something like https://{yourTenant}.api.identitynow.com

The TypeError: Cannot read properties of undefined (reading 'json') is likely a follow-on error from the failed token call. Once the tenant variable is set correctly and the token call goes through, that error should clear up as well.

Since it works in dev, the dev environment probably already has that variable set. Prod just needs the same variable populated with the correct tenant name.