Individual Entitlement removal

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello Experts,

I am currently working on an Emergency Termination use case and have a requirement to validate whether the selected identity has any entitlements related to “mobile devices” before proceeding with the termination.

Could you please advise on the best way to identify or check mobile‑device‑related entitlements associated with an identity?

Additionally, I would like to know if there is a way to restrict the visibility of this form so that it is accessible only to a specific set of users or roles.

Thanks in advance for your help.

Thanks

2

Have you tried using Get Access workflow action to retrieve identity entitlements, then filter by entitlement name/source to check if any of them match your mobile device entitlement names?

3

Hi @niketnova

For your first point, you could use a “Get Access” operation with the “By Search Query” option to filter down by mobile devices. You can use something like this in the search query:
"mobile devices"

If you can provide the exact source or entitlement name that contains mobile devices, I can assist with refining that search query further.

For your second point, if you use the interactive launcher trigger, then you can make the form an entitlement which you can restrict/grant to any users you see fit.

Let me know if this helps or if you have any questions!

4

Hi @niketnova ,
In SailPoint Identity Security Cloud, you can simply use the Get Access step in your workflow to fetch the user’s entitlements and filter for anything related to mobile devices (by name or source) before proceeding with termination. Based on that, you can decide whether to continue or stop the process. For restricting the form, just use the Interactive Launcher and assign it to a specific role or entitlement so only the required users can access it.

5

Hi @niketnova ,

Just wanted to add on your second point, you can map the entitlement of your launcher into a role to assign to individuals or you can use segments for only limited people to access the same.

6

Hey everyone,

Great suggestions so far — all solid. Just adding a slightly different perspective that might give you a few more options, Niket.

For checking mobile device entitlements:
Using Get Access is definitely the way to go. I’d just keep it simple: run a search query for the mobile source, then add a quick condition to check if any results come back (based on naming, source, or tags). If mobile access exists, route it for cleanup (IT/manual review). If not, continue with the normal termination flow.
If you need deeper filtering, calling the Search API via HTTP is a good fallback.

For restricting form visibility:
The cleanest approach is still using the Interactive Launcher + a dedicated entitlement (like “Emergency_Termination_Access”) and granting it only to the right people.
Alternatively, you can control it with:

  • a specific group as the form recipient

  • or a simple condition to validate the initiator before showing the form

i hope this finds you useful

7

Thanks for the great suggestion and as per your asks, source name for the entitlement is Active Directory and Entitlement name is Mobile Devices-Android, Mobile Devices- Apple

8

Thanks, Aryan, for the suggestions. I will check this also

9

Happy to help.

Here is that refined search query. Let me know if you have any questions on it!

source.name:"Active Directory" AND (name:"Mobile Devices-Android" OR name:"Mobile Devices-Apple")

10

I tried your suggested approach, but I am still not getting the expected output.

I am retrieving user access details using a search query, then comparing a string value (entitlement ID / name) in a Compare step. Based on this comparison, the workflow should proceed along different paths.

However, even when the user definitely has the entitlement, the Compare step always evaluates to False.

I have attached the JSON file that shows the access data being returned correctly from the search query. The matching entitlement is present in the response, but the comparison logic does not detect it and never evaluates to True.

CopyofImmediateIdentityTerminationbyNT20260421111.json (7.7 KB)

11

Can you try replacing variableA: $.getAccess.accessItems[?(@.id=='...')][0]
variableB: "" wtih variableA: $.getAccess.accessItems.length
variableB: 0 ?

12

@ntelavan you can instead use Compare Numbers and do $.getAccess.accessItems.length Is Greater Than 0 comparison

13

Hi @niketnova ,
If you are using a workflow for this requirement, in the workflow, use the http request to get the entitlements of a user related to mobile devices, you can use search api for that, something like below and modify it according to the use case
{

"includeNested": **false**,

"indices": \[

  "identities"

\],

"query": {

  "innerHit": {

    "query": "source.name.exact:\\"xxx\\" AND type:\\"ENTITLEMENT\\" AND (name:\\"xxxx\\" OR name:\\"xxxx\\")",

    "type": "access"

  },

  "query": "id:xxx"

},

"queryResultFilter": {

  "includes": \[

    "access.id",

    "access.source.name"

  \]

}

}

For the response , apply .length() function and if it is greater than 0, that means user has entitlements related to mobile devices.

14

For the second question, when you create a form and use it in workflow, one entitlement gets created automatically with form name, so you have to create a role with that entitlement and in define assignment manually add the users to the identity list, so that only those users will have access to that form in launch pad