Policy for "Entitlements Not in Use"

I noticed when creating some SOD policies that there was a suggestion you could create a general policy for “Entitlements not in use”. How do you actually do that search?


I think what they meant is that you can flag employees with entitlements that are not in use or have been retired, assuming you already have the list :).

@colin_mckibben is this something you can ask internally for clarification? It would be nice to know a search that would find entitlements that aren’t being used

An internal source had the following to say:

I don’t think there’s a direct way, but hope others find it. The entitlement representation does not have a “members” or member count operational attribute so, there is no way you can use the entitlements searchable attributes in Search. It can be the other way around, asking how many identities have a given entitlement. But a wildcard search won’t give you member counts for each entitlement.
It should be quite easy with a small script with the SDK though. Use entitlements endpoint to get all entitlements in the system, then iterate and check if that’s assigned to anyone. Quite heavy process but feasible.

I wonder why they worded it that way then? Oh well

Confused Power Rangers GIF

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.