I noticed when creating some SOD policies that there was a suggestion you could create a general policy for “Entitlements not in use”. How do you actually do that search?
I think what they meant is that you can flag employees with entitlements that are not in use or have been retired, assuming you already have the list :).
@colin_mckibben is this something you can ask internally for clarification? It would be nice to know a search that would find entitlements that aren’t being used
An internal source had the following to say:
I don’t think there’s a direct way, but hope others find it. The entitlement representation does not have a “members” or member count operational attribute so, there is no way you can use the entitlements searchable attributes in Search. It can be the other way around, asking how many identities have a given entitlement. But a wildcard search won’t give you member counts for each entitlement.
It should be quite easy with a small script with the SDK though. Use entitlements endpoint to get all entitlements in the system, then iterate and check if that’s assigned to anyone. Quite heavy process but feasible.
I wonder why they worded it that way then? Oh well
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.