Is there a search query that can retrieve all identities whose entitlement access is set to expire within a specific date range? For example, it should get identities whose access will expire in the next 3, 5, or 7 days.
Hi @amankumargupta,
Use this query in SailPoint IdentityNow UI: @access(expirationDate:[now TO now+7d])
Or
You may use below curl command in your postman
curl --location --request POST 'https://{{tenant}}.api.identitynow-demo.com//v2024/search' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInRl0' \
--data-raw '{
"indices": [
"identities"
],
"query": {
"query": "@access(expirationDate:[now TO now+7d])"
},
"queryResultFilter": {
"includes": [
"name",
"expirationDate",
"entitlements"
]
}
}'
Thank You.
Welcome to the sailPoint community. Please try the below query, as it is working for me
@access(removeDate:[now TO now+100d] AND type:ROLE)
I also observed that it worked for me only for ROLE so i am not sure if this will also work for you for entitlements.
But it may not be working for me as i have access request feature enabled only for roles and not for entitlements so there is no way for me to setup the expiration date for entitlement. You can try it changing the number of days or years and type:ENTITLEMENT or Access profile based on your requirement and see if it works for other access types.
But for ROLES it is definitely working.
I hope this helps.
Thank You
Regards
Vikas
Hey Aman,
Here is a UI query and an API search to find upcoming Access Profiles and Roles with expirations dates for users. I know you specifically mentioned searching for entitlement removeDates, and I’m still looking into those. Just wanted to share what I have found so far in case it is helpful and note that entitlement removalDates will need to be handled separately (just not sure how yet).
This query will work in the search UI, but it will only return the list of identities that have access that is set to be removed in the timeframe. Meaning, it will not show the access that is going to be removed, just that these identities have some access that will be removed.
@access(removeDate:[now TO now+50d])
This might be sufficient for you, but if you are looking to get a list of the access items that will be removed, you will need to use the search API with something like below in the body. This will return the access items that are going to be removed for each account.
{
"indices": [
"identities"
],
"query": {
"innerHit": {
"query": "removeDate:[now TO now+50d]",
"type": "access"
},
"query": "*"
}
}
Still working on seeing how relative entitlement removeDate searches can be done and I’ll let you know if I have an update.
Thank you,
- Zach
2 Likes
So far, the best I can come up with is using the search API with the below body to get a list of all events with the removeDate attribute for all entitlements.
{
"indices": [
"events"
],
"query": {
"query": "_exists_:attributes.removeDate AND attributes.accessItemType:\"entitlement\""
}
}
When I try to do a date search on this attribute (like attributes.removeDate:[now TO now+50d]), I do not get any results, even though there are result. It seems like this field is being stored as a String as opposed to a dateType field as I can update my query to this and it returns the expected results: attributes.removeDate:\"*11*\"
Since this field is a String and not a dateType, you wouldn’t be able to use to do a date compare. A possible solution would be to run the above search to get all access requests with a removeDate attribute, export the results to a json file, and import the file into Excel or wherever to do the date logic calculation you are looking for.
Other than the events for access request being submitted with a removeDate, I do not see any other location where this information is stored to be able to perform a dateType search. It does not seem to be stored in the identities (access) index like the date is for Roles and Access Profiles, or any other part of this index.
Unless somebody else knows where this data is stored or how IDN does these lookups/calculations for access removals, unfortunately the only solution I can think of for entitlement removalDates is to do the search/export I mentioned above and do your comparisons in another tool.
If I find a better answer, I will definitely let you know, but this might be the best option currently.
Thank you,
- Zach
1 Like
I have 2 other options that might help with your current situation, but they are not exactly what you seem to be looking for.
A search like this can let you search for removeDates that are in a specified year/month. This might give you some info you need to look for removeDates that are coming up in the next month.
{
"indices": [
"events"
],
"query": {
"query": "attributes.removeDate:\"2024-11*\""
}
}
Additionally, you can search my identity id to find the removeDates for the items they requested to see if any are upcoming. This solution was described here: How to view expiration date of an entitlement for a particular Identity? - #3 by kdfreeman
Hope one of these solutions helps you!
- Zach
1 Like
Hi @gogubapu, thanks, but this query didn’t work
Hi @vguleria, Thanks, but this didn’t work for entitlement
Hi @zachm117 , same approach I followed thanks