How to identify entitlements auto‑assigned via Role Criteria in SailPoint ISC?

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

In SailPoint Identity Security Cloud (ISC), is there any way to view or extract a list of entitlements that are automatically assigned through role criteria?

  1. Is there an out‑of‑the‑box UI option or report that shows entitlements added due to role criteria?
  2. Or is Role Preview / Identity Access view the only way to validate these assignments?
  3. Are any APIs the recommended approach if we want to generate a consolidated list?
2

@ROHPU normaly the standalone parameter on entitlements determine if an entitlement is part of Access profile or Roles or if it is only assigned alone :

Example of query :

UI

@access(standalone:true)

API :

{
    "query": {
        "query": "@access(standalone:true AND type:\"ENTITLEMENT\")"
    },
    "indices": [
        "identities"
    ],
    "includeNested": true,
    "queryResultFilter": {
        "includes": [
            "name",
            "id",
            "access"
        ]
    }
}
3

Hi @ROHPU ,

What I have observed is if you have the list of entitlements you want to check, then try generating a certification campaign and the status report will only show the results which are individually assigned for you to compare the difference.

4

@baoussounda Thank you for the reply. However, the UI query only returns the list of identities that match the criteria and does not provide the corresponding entitlement list that is auto‑assigned through the role.

Could you please advise if there is a way to extract or view the entitlements associated with those identities (specifically the ones provisioned via role criteria), either through the UI, reports, or APIs?

5

@AsGoyal Thanks for the suggestion. However, I don’t have the exact entitlement names upfront.

6

Out‑of‑the‑Box Options

  • Role Preview: Shows what access (entitlements, access profiles) an identity will receive if the role is assigned.
  • Identity Access View: Displays the entitlements currently held by an identity, including those granted via roles.
  • Certification Campaigns: Can highlight individually assigned entitlements vs. those coming from roles, but this requires you to know the entitlements you want to check.

Limitation: These UI views are identity‑centric, not entitlement‑centric. They don’t produce a consolidated entitlement list across all roles.

There is no out‑of‑the‑box SailPoint ISC UI report that directly lists entitlements auto‑assigned via role criteria. The standard way to validate is through Role Preview or Identity Access views, but if you want a consolidated list, APIs are the recommended approach, which is already shared by @baoussounda

Practical Options

  • For quick validation: Use Role Preview and Identity Access view.
  • For reporting/automation: Use the Roles + Access Profiles APIs to build a consolidated entitlement list.

Conclusion

  • UI only → Role Preview / Identity Access view.
  • Reports → No native consolidated entitlement report exists.
  • Best practice → Use APIs to extract entitlements grouped by roles and access profiles, then generate your own consolidated list.
7

Hi @ROHPU ,

You have search criteria or how do you identify the entitlements of interest?

8

Hi @ROHPU

Once you’ve apply the filter on UI you can export the result by enable “Include Access Details” then you’ll find those list of entitlements in the report :

image
image1812×364 21.4 KB

Also by using the query provided with API you have the entitlements list :

image
image925×1232 57.8 KB

9

@baoussounda Thanks for the solution.

10

@AsGoyal I was trying to identify all entitlements and categorize them into standalone and non-standalone. However, I have now found the solution I was looking for.