Hi,
I’m trying to build a forms where users can order removal of their entitlements since it is not possible for managers to order removal of entitlements, only access profiles and roles.
How do I search in the search view to find all entitlements that a user is member of?
Hello @iamjenny,
Welcome back to the Developer Community! 
Regarding your question—could you please clarify the context in which you believe entitlements cannot be removed? While certifications can indeed be removed, entitlements can typically be removed as well.
To retrieve the entitlements of a user, you can simply use the following search query:
displayName:john.smith
Then, select the entitlements object from the results.
Let me know if you need further information on this!
Hi,
yes it also works to create a certification but then someone have to create a certification every time a user wants to remove an entitlement.
The search you mentioned doesn’t work. It gives me all existing entitements as a result. I only want the entitlements that the user is a member of.
yes ! you are right !
I cannot see any search query to get entitlements associated to an user .
Based on my understanding this might be achievable with the below flow :
Interactive Trigger → Interactive Form1 which collects Identity Data -->HTTP action to get entitlementIds of this Identity → use these entId in the InteractiveForm2 which displays entitlements using the previously collected id’s (making use of formInput variables in search filters )–> end
To find all entitlements that a user is member of - HTTP Request Action can be used with below API,
search-post | SailPoint Developer Community
Body:
{
"indices": [
"identities"
],
"query": {
"query": "name:\"<uid>\"",
"fields": [
"*"
]
},
"queryResultFilter": {
"includes": [
"access"
]
}
}
This will retrieve all the Access Profiles, Roles, and Entitlements assigned to the user.
To filter and get only the Entitlements, apply a filter in the JSON path of the variable used for the HTTP Request Response, something like: $.hTTPRequest.body[*].access[?(@.type==“ENTITLEMENT”)]. Adjust it as needed based on the response obtained.
1 Like
Just to add here, even if you were to try access removal via certifications, this cannot be done by the user themselves. The certification would be redirected to another user (f.i. line manager).
1 Like
Do you think user will ever submit request to get remove its own access 
.
1 Like
Yes, they do. Since we went live with ISC that is the most common question we get from the users.
I think only option for now would be create a launcher will trigger a workflow and then you can use that form to show the users source/ attributetype and then entitlement and then give ability to remove the access .
Hi Jenny,
A simple workaround we are using is to submit another access request with an end date. Until the feature to allow everyone, not only manager to request remove access ( Allow revoke requests on behalf of Everyone | SailPoint Ideas Portal)
Secondly, you can’t search for entitlements belonging to a user in the search UI as members/identities inside an access/entitlement is not searchable. What you can do is an innerHit using “search” API: search-post | SailPoint Developer Community. Here is an example body for the post request: -
{
"indices": [
"identities"
],
"query": {
"query": "\"John Doe\"",
"innerHit": {
"type": "access",
"query": "source.name:(\"Application 1\" OR \"Application 2\" OR \"Application 3\")"
}
}
}
You can explore other ways to query to get all access, do share if you find a better query 
Take a look at this, Enhancement: Access Revocation! - Announcements / Product News - SailPoint Developer Community
4 Likes
Not sure why that took 10 years, but really glad it’s here now.
2 Likes
Thank you for making me aware of this new feature! That would really solve our issue. Then we do not need to solve it with our forms-workaround where we trigger a certification campaign on all accesses the user has.