When managing identities within SailPoint, one common requirement is to identify “inactive identities” that still have an “active link” to a specific application. In this example, we can use the XML-based filter to create a Population that matches this criterion for the “Test application”.
Below is the XML filter used to define the population and the breakdown of its components:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE GroupDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<GroupDefinition indexed="true" name="Population_Identities_with_Active_Link" private="true">
<Description>Population evaluated for checking Housekeep.</Description>
<GroupFilter>
<CompositeFilter operation="AND">
<Filter operation="EQ" property="inactive">
<Value>
<Boolean>true</Boolean>
</Value>
</Filter>
<Filter joinProperty="Link.identity.id" operation="JOIN" property="id"/>
<CompositeFilter operation="AND">
<Filter operation="EQ" property="Link.application.name" value="Test-Application"/>
<Filter matchMode="START" operation="LIKE" property="Link.disabledAccount" value="false"/>
</CompositeFilter>
<Filter ignoreCase="true" operation="EQ" property="links.application.name" value="Test-Application"/>
</CompositeFilter>
</GroupFilter>
<Owner>
<Reference class="sailpoint.object.Identity" name="spadmin"/>
</Owner>
</GroupDefinition>
Key Details of the Filter:
- Inactive Identities:
The filter begins by selecting identities where the inactive property is set to true:
<Filter operation="EQ" property="inactive">
<Value>
<Boolean>true</Boolean>
</Value>
</Filter>
- Identity and Link Join:
A join operation connects the Identity object to its corresponding Link objects:
xml
<Filter joinProperty="Link.identity.id" operation="JOIN" property="id"/>
- Active Link for the Test-Application(Can be replaced with required application Name) Application:
The composite filter ensures the application name is Test-Application (specific to this example) and that the Link.disabledAccount property starts with false (indicating an active link):
<CompositeFilter operation="AND">
<Filter operation="EQ" property="Link.application.name" value="Test-Application"/>
<Filter matchMode="START" operation="LIKE" property="Link.disabledAccount" value="false"/>
</CompositeFilter>
- Case-Insensitive Check:
A final filter ensures that the application name is matched in a case-insensitive manner:
<Filter ignoreCase="true" operation="EQ" property="links.application.name" value="Test-Application"/>
How to Use This Filter in SailPoint
-
Upload as a Population:
Navigate to Setup > Populations in the SailPoint Admin interface.
Import the XML definition or manually create a population using the above logic. -
Evaluate Population:
Once uploaded, you can evaluate the population to identify all **inactive identities with active links to the “Test-Application”. -
Next Steps:
Use this population for housekeeping tasks, audits, or as part of broader workflows.
Use Case Example
This approach is valuable when auditing inactive identities to ensure compliance and avoid orphaned access. By identifying inactive users with active application links, you can:
1. Disable unnecessary access.
2. Reduce risks associated with inactive users retaining system access.
3. Clean up stale accounts in your environment.
Conclusion
This XML filter and approach simplify identifying inactive identities tied to active applications in SailPoint. It not only improves governance but also streamlines the cleanup process. You can customize the application name and other parameters as per your organisational needs.
Let me know if you have specific questions or need further clarifications!