Version
8.4
Goal & Question
Hi everyone,
I’m working on creating a custom XML report in IdentityIQ that lists entitlements assigned to each identity, but I want to exclude any entitlements that are assigned via birthright rules or roles.
Goal:
- Generate a report showing each identity and their entitlements.
- Exclude entitlements that were automatically provisioned via birthright roles (i.e., not directly assigned or requested).
Questions:
- Is there a way in the BeanShell or XML report definition to identify which entitlements were granted through birthright roles?
- Are there specific attributes or methods I can use to filter these out in the report logic?
Has anyone done this before or has suggestions on the best approach?
Thanks in advance!
Is it possible to modify the provisioning rule for LCM?
adding the name infront of it to classify that for birthrights access, and filter it on the report process?
anyone think this works, or knowing the better solutions, please help me
How I can do with this Identity Entitlement report?
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition created="1744132082338" executor="sailpoint.reporting.LiveReportExecutor" id="7f00010196161e778196165f8aa20255" modified="1746000737038" name="Identity Entitlements Detail Report" progressMode="Percentage" resultAction="Rename" subType="Identity and User Reports" template="true" type="LiveReport">
<Attributes>
<Map>
<entry key="report">
<value>
<LiveReport title="Identity Entitlements Report">
<DataSource objectType="IdentityEntitlement" type="Filter">
<QueryParameters>
<Parameter argument="identity" property="identity.id"/>
<Parameter argument="application" property="application.id"/>
<Parameter argument="attribute" property="name"/>
<Parameter argument="entitlementValue" property="value"/>
<Parameter argument="accountId" property="nativeIdentity"/>
<Parameter argument="instance" property="instance"/>
<Parameter argument="source" property="source"/>
<Parameter argument="aggregationState" property="aggregationState">
<QueryScript>
<Source>
import sailpoint.object.Filter;
import sailpoint.object.IdentityEntitlement.AggregationState;
import sailpoint.tools.Util;
// "null" indicates include all
if ( Util.getString((String)value) != null ) {
if ( Util.nullSafeEq("Connected", (String)value) ) {
queryOptions.addFilter(Filter.eq("aggregationState", AggregationState.Connected));
} else {
queryOptions.addFilter(Filter.eq("aggregationState", AggregationState.Disconnected));
}
}
return queryOptions;
</Source>
</QueryScript>
</Parameter>
<Parameter argument="type" property="type">
<QueryScript>
<Source>
import sailpoint.object.Filter;
import sailpoint.object.IdentityEntitlement.AggregationState;
import sailpoint.tools.Util;
// "null" indicates include all
if ( Util.getString((String)value) != null ) {
queryOptions.addFilter(Filter.eq("type", value));
}
return queryOptions;
</Source>
</QueryScript>
</Parameter>
<Parameter argument="allowed" property="allowed" valueClass="boolean"/>
<Parameter argument="assigned" property="assigned" valueClass="boolean"/>
<Parameter argument="grantedByRole" property="grantedByRole" valueClass="boolean"/>
<Parameter argument="assigner" property="assigner"/>
<Parameter argument="pendingRequest" property="pendingRequestItem">
<QueryScript>
<Source>
import sailpoint.object.*;
import sailpoint.tools.*;
// "null" indicates no value
if ( Util.getString((String)value) != null ) {
boolean bool = Util.otob(value);
if ( !bool )
queryOptions.addFilter(Filter.isnull(property));
else
queryOptions.addFilter(Filter.notnull(property));
}
return queryOptions;
</Source>
</QueryScript>
</Parameter>
<Parameter argument="currentRequest" property="requestItem">
<QueryScript>
<Source>
import sailpoint.object.*;
import sailpoint.tools.*;
// "null" indicates no value
if ( Util.getString((String)value) != null ) {
boolean bool = Util.otob(value);
if ( !bool )
queryOptions.addFilter(Filter.isnull(property));
else
queryOptions.addFilter(Filter.notnull(property));
}
return queryOptions;
</Source>
</QueryScript>
</Parameter>
<Parameter argument="pendingCertification" property="pendingCertificationItem">
<QueryScript>
<Source>
import sailpoint.object.*;
import sailpoint.tools.*;
// "null" indicates no value
if ( Util.getString((String)value) != null ) {
boolean bool = Util.otob(value);
if ( !bool )
queryOptions.addFilter(Filter.isnull(property));
else
queryOptions.addFilter(Filter.notnull(property));
}
return queryOptions;
</Source>
</QueryScript>
</Parameter>
<Parameter argument="certified" property="certificationItem">
<QueryScript>
<Source>
import sailpoint.object.*;
import sailpoint.tools.*;
// "null" indicates no value
if ( Util.getString((String)value) != null ) {
boolean bool = Util.otob(value);
if ( !bool )
queryOptions.addFilter(Filter.isnull(property));
else
queryOptions.addFilter(Filter.notnull(property));
}
return queryOptions;
</Source>
</QueryScript>
</Parameter>
</QueryParameters>
</DataSource>
<ReportForm>
<Reference class="sailpoint.object.Form" id="7f00010196161e778196165f8a820254" name="Identity Entitlements Report Search Fields"/>
</ReportForm>
<Columns>
<ReportColumnConfig field="identity" header="identity" property="identity.displayName" sortable="true" width="110"/>
<ReportColumnConfig field="application" header="label_application" property="application.name" sortable="true" width="110"/>
<ReportColumnConfig field="attribute" header="label_attribute" property="name" sortable="true" width="110"/>
<ReportColumnConfig field="value" header="entitlement" property="value" sortable="true" width="110"/>
<ReportColumnConfig field="displayValue" header="label_display_value" property="application.id" scriptArguments="name,value,type" width="110">
<RenderScript>
<Source>
import sailpoint.api.Explanator;
import sailpoint.api.Explanator.Explanation;
import sailpoint.api.ObjectUtil;
import sailpoint.object.ManagedAttribute.Type;
import sailpoint.object.Bundle;
import sailpoint.object.ProvisioningPlan;
import sailpoint.service.classification.ClassificationService;
import sailpoint.tools.Util;
String appId = (String) value;
// aka attribute
String name = (String) scriptArgs.get("name");
String val = (String) scriptArgs.get("value");
Type type = (Type) scriptArgs.get("type");
if (type != null && type == Type.Entitlement && appId != null && name != null) {
Explanation exp = Explanator.get(appId, name, val, type.name());
if (exp != null) {
return exp.getDisplayValue();
}
}
return null;
</Source>
</RenderScript>
</ReportColumnConfig>
<ReportColumnConfig field="accountId" header="account_name" property="nativeIdentity" skipLocalization="true" sortable="true" width="110"/>
<ReportColumnConfig field="accountDisplayName" header="account_display_name" property="displayName" skipLocalization="true" sortable="true" width="110"/>
<ReportColumnConfig field="instance" header="instance" property="instance" sortable="true" width="110"/>
<ReportColumnConfig field="source" header="identity_entitlements_source" property="source" sortable="true" width="110"/>
<ReportColumnConfig field="aggregationState" header="identity_entitlements_aggregation_state_display" property="aggregationState" width="110"/>
<ReportColumnConfig field="type" header="srch_input_def_entitlement_type" property="type" sortable="true" width="110"/>
<ReportColumnConfig field="allowed" header="identity_entitlements_allowed" property="allowed" sortable="true" width="110"/>
<ReportColumnConfig field="assigned" header="identity_entitlements_assigned" property="assigned" sortable="true" width="110"/>
<ReportColumnConfig field="grantedByRole" header="identity_entitlements_granted_by_role" property="grantedByRole" sortable="true" width="110"/>
<ReportColumnConfig field="assigner" header="identity_entitlements_assigner" property="assigner" sortable="true" width="110"/>
<ReportColumnConfig field="lastCertName" header="identity_entitlements_cert_last" property="certificationItem.parent.certification.name" sortable="true" width="110"/>
<ReportColumnConfig field="lastCertDate" header="identity_entitlements_cert_last_date" property="certificationItem.modified" sortable="true" width="110"/>
<ReportColumnConfig field="lastRequestId" header="identity_entitlements_request_id" property="requestItem.identityRequest.name" sortable="true" width="110"/>
<ReportColumnConfig field="classificationNames" header="rept_cert_col_classifications" property="application.id" scriptArguments="name,value,type" width="110">
<RenderScript>
<Source>
import sailpoint.api.Explanator;
import sailpoint.api.Explanator.Explanation;
import sailpoint.api.ObjectUtil;
import sailpoint.object.ManagedAttribute.Type;
import sailpoint.object.Bundle;
import sailpoint.object.ProvisioningPlan;
import sailpoint.service.classification.ClassificationService;
import sailpoint.tools.Util;
String appId = (String) value;
// aka attribute
String name = (String) scriptArgs.get("name");
String val = (String) scriptArgs.get("value");
Type type = (Type) scriptArgs.get("type");
// Check if it is representing a role
if (ProvisioningPlan.ATT_IIQ_DETECTED_ROLES.equals(name) ||
ProvisioningPlan.ATT_IIQ_ASSIGNED_ROLES.equals(name)) {
String classifiableId = ObjectUtil.getId(context, Bundle.class, val);
if (classifiableId != null) {
ClassificationService service = new ClassificationService(context);
return Util.listToCsv(service.getClassificationNames(Bundle.class, classifiableId));
}
}
// Otherwise it is an entitlement
else {
if (appId != null && name != null && type != null) {
Explanation exp = type == Type.Permission ?
Explanator.get(appId, name) :
Explanator.get(appId, name, val);
if (exp != null) {
return Util.listToCsv(exp.getClassificationDisplayableNames());
}
}
}
return null;
</Source>
</RenderScript>
</ReportColumnConfig>
<ReportColumnConfig field="elevatedAccess" header="label_elevated_access" property="application.id" scriptArguments="name,value,type" sortable="true" width="110">
<RenderScript>
<Source>
import sailpoint.api.Explanator;
import sailpoint.api.Explanator.Explanation;
import sailpoint.api.ObjectUtil;
import sailpoint.object.ManagedAttribute.Type;
import sailpoint.object.Bundle;
import sailpoint.object.ProvisioningPlan;
import sailpoint.service.classification.ClassificationService;
import sailpoint.tools.Util;
String appId = (String) value;
// aka attribute
String name = (String) scriptArgs.get("name");
String val = (String) scriptArgs.get("value");
Type type = (Type) scriptArgs.get("type");
if (type != null && type == Type.Entitlement && appId != null && name != null) {
Explanation exp = Explanator.get(appId, name, val, type.name());
return exp == null ? null : exp.isIiqElevatedAccess();
}
return null;
</Source>
</RenderScript>
</ReportColumnConfig>
</Columns>
</LiveReport>
</value>
</entry>
</Map>
</Attributes>
<Description>Displays identity/account entitlement information.</Description>
<RequiredRights>
<Reference class="sailpoint.object.SPRight" id="7f00010196161e778196165ef6900051" name="FullAccessIdentityEntitlementReport"/>
</RequiredRights>
<Signature>
<Inputs>
<Argument multi="true" name="identity" type="Identity">
<Description>Identities to include in the report</Description>
<Prompt>identities</Prompt>
</Argument>
<Argument multi="true" name="application" type="Application">
<Description>Applications to include in the report</Description>
<Prompt>applications</Prompt>
</Argument>
<Argument multi="true" name="attribute">
<Description>Attirubtes to include in the report</Description>
<Prompt>attribute</Prompt>
</Argument>
<Argument multi="true" name="entitlementValue">
<Description>Attirubtes to include in the report</Description>
<Prompt>attribute</Prompt>
</Argument>
<Argument name="accountId">
<Description>Account ids to include in the report</Description>
<Prompt>account_name</Prompt>
</Argument>
<Argument name="instance">
<Description>Instances to include</Description>
<Prompt>instance</Prompt>
</Argument>
<Argument name="source" type="string">
<Description>Include only Entitlements with a specific source</Description>
<Prompt>identity_entitlements_source</Prompt>
</Argument>
<Argument name="aggregationState" type="string">
<Description>Include only connected or disconnected entitlements</Description>
<Prompt>identity_entitlements_aggregation_state_display</Prompt>
</Argument>
<Argument name="type" type="string">
<Description>Include only certain types of permissions. Either Permission or Entitlement</Description>
<Prompt>srch_input_def_entitlement_type</Prompt>
</Argument>
<Argument name="allowed" type="string">
<Description>Include only allowed entitlements</Description>
<Prompt>identity_entitlements_role_allowed</Prompt>
</Argument>
<Argument name="assigned" type="string">
<Description>Include only entitlements that are assigned</Description>
<Prompt>identity_entitlements_assigned</Prompt>
</Argument>
<Argument name="assigner" type="string">
<Description>Include only entitlements that has an assigner</Description>
<Prompt>identity_entitlements_assigner</Prompt>
</Argument>
<Argument name="grantedByRole" type="string">
<Description>Include only entitlements granted by a role.</Description>
<Prompt>granted</Prompt>
</Argument>
<Argument name="pendingRequest" type="string">
<Description>Include only entitlements that have a pending access request.</Description>
<Prompt>pendingRequest</Prompt>
</Argument>
<Argument name="currentRequest" type="string">
<Description>Include only entitlements that have a current access request.</Description>
<Prompt>pendingRequest</Prompt>
</Argument>
<Argument name="pendingCertification" type="string">
<Description>Include only entitlements that have a pending certification.</Description>
<Prompt>pendingCertification</Prompt>
</Argument>
<Argument name="certified" type="string">
<Description>Include only entitlements that have been certified.</Description>
<Prompt>certified</Prompt>
</Argument>
</Inputs>
</Signature>
</TaskDefinition>
if you are looking for a report to list only entitlements that are not included in any existing roles then you can put a true filter condition for additional entitlement only argument for the Identity Entitlement Details Report.
Hi @SanjeevIAM , Thank you for you advise, it working well.
