List Access Profiles API - Filtering by source?

Hello All! Need some help. I am working on a powershell script to use the API (list-access-profiles | SailPoint Developer Community) to list out all access profiles in our tenant. The issue is, there is a limit on the output. The documentation says 50, but I’ve been able to get 250, and no more than that. We have near 600 total access profiles now, so it’s limiting in a bad way. I was hoping to leverage the “filter” option, but not sure how to go about it. When I attempt to filter in the url query, it just shows the same list of access profiles, up to 250 from all sources. Anyone know the string I am supposed to use to limit this?

Side note…If pagination is easier, that works too. The end goal is to see them all, whichever makes more sense in the longer run is fine. Filter is preferred for SOX stuff…

$accessProfiles = getObjects "beta/access-profiles?count=true&limit=250" "all" - THIS WORKS AS EXPECTED

Looking for a filter to limit to source.id.

source.id is a valid search field in the filters parameter.

beta/access-profiles?filter=source.id eq “2c9180877fdb6945017fe0b9ed8e5fef”

Since it looks like you’re using powershell, I would recommend doing this in the PowerShell SDK using a combination of Get-BetaAccessProfiles and invoke-paginate

invoke-paginate -function "get-betaaccessprofiles" -increment 250 -limit 10000 -initialoffset 0 -parameters @{"Filters"= 'source.id eq "2c9180877fdb6945017fe0b9ed8e5fef"'}

Using the SDK is nice for doing further filtering on result sets where a filter doesn’t currently exist on the API side. For example - “Query all the entitlements in the Entra ID source that are Teams groups”

invoke-paginate -function "get-betaentitlements" -increment 250 -limit 10000 -initialoffset 0 -parameters @{"Filters"= 'source.id eq "4ba4e79fbd4f440fb086ba59ef566cdf"'} | 
    where-object {$_.attributes.teamsEnabled -eq $true} | 
    select -expandproperty attributes | 
    select displayname, mail | 
    sort displayname

Thanks for the quick reply! I have tried the filter option as you posted, not any SDK. Here is the code below as it is written so far. When applying the filter directly, or through a variable, it returns all my outputs as empty now, which is very much not true. Thoughts?

function fetchAccessToken()
{
    try
    {
        Write-Host " FETCHING ACCESS TOKEN... ATTEMPT $numberOfAttempts" -ForegroundColor Yellow
        $uri = "$baseUrl/oauth/token?grant_type=client_credentials&client_id=$clientId&client_secret=$clientSecret"
        Return (Invoke-RestMethod -Method Post -Uri $uri).access_token
    }
    catch
    {
        Write-Host $_
        Return $null
    }
}

function getObjects([String] $contextURL, [String] $resultToReturn)
{
    try
    {
        $uri = "$baseUrl/$contextURL"
        $getObjectBody = @{
            method = "GET"
            uri = $uri
            headers = @{ Authorization = "Bearer $token" }
        }
        $getObjectArray = Invoke-RestMethod @getObjectBody
        if ($resultToReturn -eq "single" -and $getObjectArray.Count -gt 0)
        {
            return $getObjectArray[0].id
        }
        elseif ($resultToReturn -eq "all")
        {
            return $getObjectArray
        }
    }
    catch
    {
        Write-Host $_ -ForegroundColor Red
        Write-Host " StatusCode: " $_.Exception.Response.StatusCode.value__ -ForegroundColor Red
        Write-Host " Error Message: " $_.ErrorDetails.Message -ForegroundColor Red
    }
}

<#tag AUTHENTICATION#>
try
{
    $credFileLocation = Join-Path -Path $projectRootLocation -ChildPath $clientCredentials
    $inputLabels = Import-CSV -Path $credFileLocation -Header A, B
    $inputLabelsList = @($inputLabels.A)
    $inputValuesList = @($inputLabels.B)
    for ($i = 0; $i -lt $inputLabelsList.count; $i++) {
        if ($($inputValuesList[$i]).Trim().length -lt 1)
        {
            Write-Host "Please update `"$( $inputLabelsList[$i] )`" and retry" -ForegroundColor Red -BackgroundColor Yellow
            return
        }
    }
} 
catch
{
    Write-Host $_ -ForegroundColor Red -BackgroundColor Yellow
    return
}

$tenant = $inputValuesList[0]
$clientId = $inputValuesList[1]
$clientSecret = $inputValuesList[2]
$baseUrl = "https://$tenant.api.identitynow.com"

while (($numberOfAttempts -lt $maxAttempts) -and ([string]::IsNullOrEmpty($token)))
{
    $numberOfAttempts++
    Start-Sleep 1.2
    $token = fetchAccessToken
}
if (-Not $token) #tag EXIT AS AUTHENTICATION FAILED
{
    Write-Host " $dsLine `n COULD NOT AUTHENTICATE AFTER $maxAttempts ATTEMPTS. EXITING PROCESS `n $dsLine" -ForegroundColor Red
    Exit
}

$filter = "filter=source.id eq '492e7004216d4b7db33c1cdd28ab474b'"
$accessProfilesList = [System.Collections.ArrayList]::new()
$accessProfiles = getObjects "beta/access-profiles?$filter"
$governanceGroups = getObjects "beta/workgroups?count=true&limit=250" "all"

Try changing

$filter = "filter=source.id eq '492e7004216d4b7db33c1cdd28ab474b'"

to

$filter = 'filters=source.id eq "492e7004216d4b7db33c1cdd28ab474b"'

The API call is expecting double quotes. Also, the query parameter is called “filters” and not “filter”

Same result again, still no data in the output. I have even tried this as well:

$accessProfilesList = [System.Collections.ArrayList]::new()
$accessProfiles = getObjects 'beta/access-profiles?filters=name sw "CPI_AP_Monarch"'

I got it!!! I forgot the “all” tag at the end.

$accessProfilesList = [System.Collections.ArrayList]::new()
$accessProfiles = getObjects 'beta/access-profiles?filters=name sw "CPI_AP_Monarch"' "all"

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.