How to make Entitlement requestable "true" during AD group aggregation

tsandeepsTDC · June 19, 2025, 11:21pm

Please consider addressing the following when creating your topic:

What have you tried? AD group aggregation. Entitlement created with non requestable.
What errors did you face (share screenshots)? requestable is false.
Share the details of your efforts (code / search query, workflow json etc.)?
What is the result you are getting and what were you expecting? During group aggregation or any auto process want to set requestable to true for all entitlements.
There is option to make requestable to true by UI, but this manual process, i am looking auto process.

punna0001 · June 19, 2025, 11:52pm

Hello Sandeep,
This is what I found:
By default, SailPoint ISC’s AD group aggregation does not automatically set requestable = true on imported entitlements (such as AD groups). The UI option (editing individual entitlements to set requestable = true) is manual and not scalable for large environments.

You can try this:
Since aggregation itself doesn’t have a built-in setting to mark entitlements as requestable, you can:

Post-aggregation rule / workflow: Set up a workflow (or rule, if supported in your tenant) that runs after aggregation and updates all entitlements where requestable = false to true.
API automation: Use the ISC REST API (or beta Graph API) to:
- Search for entitlements with requestable = false
- Update their metadata in bulk to set requestable = true

Hope this helps!!

tsandeepsTDC · June 20, 2025, 12:45am

Ok.. Rule i can not use as its not straightforward deployment.

Means we have only manual option to update this attribute either via UI or API.

jesvin90 · June 20, 2025, 4:51am

Hi @tsandeepsTDC,

You can consider using a workflow to achieve this.

Setup a WF with a scheduled trigger, running after your aggregation timing.
Next step would be an HTTP action that can run a search query, fetching the entitlements marked as non-requestable. The search body would look something as below :

{
    "indices": [
        "entitlements"
    ],
    "query": {
        "fields": [
            "name"
        ],
        "query": "source.name:\"ActiveDirectory\" AND requestable:false"
    },
    "queryResultFilter": {
        "includes": [
            "id",
            "name"
        ]
    }
}

Loop through each of these entitlements and then use an HTTP action inside the loop to patch each entitlement with this API to mark the entitlements as requestable.

davepeters · June 20, 2025, 5:56pm

Be aware loops within workflow have a limit on how many items the can have. I believe it is 250

kanusha9 · June 21, 2025, 6:31am

Use the below API to do the change.

Body:
{
“op”: “replace”,
“path”: “/requestable”,
“value”: true
}

system · August 20, 2025, 6:32am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there some way to mark entitlement as requestable on aggregation? ISC Discussion and Questions aggregation , identity-security-cloud , connectors , entitlements	3	68	February 2, 2025
Entitlement Requestable Flag Reset during Aggregation ISC Discussion and Questions aggregation , identity-security-cloud , access-requests , entitlements	6	46	July 26, 2025
Mark Entitlements Non Requestable ISC Discussion and Questions workflows , identity-security-cloud , entitlements	4	425	March 24, 2024
Access request denied IIQ Discussion and Questions identityiq , provisioning	14	85	August 15, 2025
Making Specific Entitlements Requestable in Bulk Using the PowerShell SDK ISC Community Knowledge Base identity-security-cloud , powershell-sdk	0	427	January 24, 2024

How to make Entitlement requestable "true" during AD group aggregation

Please consider addressing the following when creating your topic:

Related topics