Hi @fionali Welcome back
If you’re looking for a Capability-to-SPRight mapping (i.e., which SPRights are included in each Capability), there is no OOTB report or certification in IIQ that provides this view. The mapping can be reviewed through the Capability definition (Debug pages or exported XML, specifically the RightRefs section), but presenting it as an auditable report typically requires a custom Report. OOTB certifications can review capability assignments to identities, but not the SPRights contained within a capability.
Hi @fionali ,
PFB links for SPRight - Capability mapping
IdentityIQ Rights and Capabilities - Definitions - Compass
Capabilities Matrix 8.5 - Compass
To export capabilities, please go through this link -
Export IdentityIQ capability and SPRight information - Compass
Hope this helps.
Hi @fionali,
Welcome back to the Developer Community!
For IdentityIQ 8.5p1, there isn’t an out-of-the-box report specifically designed to show the mapping between IdentityIQ Capabilities and the underlying SPRights (System Permissions).
However, if you’re using Targeted Certification or Advanced Certification, there is an “Include IdentityIQ Capabilities” option available in the certification definition. When enabled, the certification will include all IdentityIQ Capabilities assigned to the identities being certified, allowing reviewers to validate those capability assignments.
The underlying SPRights that are granted through a capability are not exposed separately in certifications, and there is no standard OOTB report that provides a Capability-to-SPRight mapping for review. If that level of visibility is required, a custom report or custom certification extension would need to be developed.
In most implementations, capabilities are the governance object that gets reviewed, while the associated SPRights are managed as part of the capability definition itself. Therefore, reviewing capabilities is usually sufficient from a certification perspective.
You can also refer to the Targeted Certification configuration where the “Include IdentityIQ Capabilities” option is available.
Targeted certification result FYI:
Hope this helps.
Thanks for sharing. Will there be available custom report for this use case to share?
No. Since Capabilities and their associated SPRights are stored in IdentityIQ objects, it should be possible to develop a custom report that shows:
You can go with Custom report. This will help you to achieve your requirement.
Hi @fionali ,
There is no OOTB report to get the Capabilties and the associated SP Rights. you can use the following Custom Report to get the SPRights associated with the capability.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition executor="sailpoint.reporting.LiveReportExecutor" name="Custom GetSPRights Associated With Capabilities Report" subType="task_item_type_live_report" template="true" type="LiveReport">
<Attributes>
<Map>
<entry key="TaskDefinition.runLengthAverage" value="5"/>
<entry key="TaskDefinition.runLengthTotal" value="11"/>
<entry key="TaskDefinition.runs" value="2"/>
<entry key="report">
<value>
<LiveReport title="Identity Details Report">
<DataSource objectType="sailpoint.object.Capability" type="Filter">
<QueryParameters>
<Parameter argument="capabilities" property="name"/>
</QueryParameters>
</DataSource>
<ReportForm>
<Reference class="sailpoint.object.Form" name="Custom GetSPRights of Capablities Report Form"/>
</ReportForm>
<Columns>
<ReportColumnConfig field="name" header="Capability Name" property="name" width="110"/>
<ReportColumnConfig field="allSPRights" header="Associated SPRights" property="name" width="110">
<RenderScript>
<Source>
import sailpoint.object.Capability;
import sailpoint.object.SPRight;
import sailpoint.tools.Util;
import java.util.List;
import java.util.ArrayList;
List spRightsNames = new ArrayList();
if(Util.isNotNullOrEmpty(value)){
Capability capability = context.getObjectByName(Capability.class,value);
if(capability!=null){
List spRights = capability.getAllRights();
for(SPRight spright : spRights){
if(spright!=null){
spRightsNames.add(spright.getName());
}
}
}
}
return spRightsNames;
</Source>
</RenderScript>
</ReportColumnConfig>
</Columns>
</LiveReport>
</value>
</entry>
</Map>
</Attributes>
<Signature>
<Inputs>
<Argument multi="true" name="capabilities" type="Capability"/>
</Inputs>
</Signature>
</TaskDefinition>
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Form PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Form name="Custom GetSPRights of Capablities Report Form" type="Report">
<Section columns="2" label="Capability Details" name="customProperties">
<Field displayName="Capabilities" helpKey="Select Capabilities to get associated SPRights" multi="true" name="capabilities" type="Capability" value="ref:capabilities">
<Attributes>
<Map>
<entry key="valueProperty" value="name"/>
</Map>
</Attributes>
</Field>
</Section>
</Form>
You can save the above code in IdentityIQ and execute to get the SPRights associated with Capability.
If you do not select any capability, all capabilities will be displayed.
@fionali Please try the report @Chathuryas shared. it is working fine. In case you have additional requirement you can make on top of it.
Hi @fionali ,
Did you try the above custom report to get the mappings to SP Rights and Capability. Did you face any issues.
Hi @fionali I tried @Chathuryas’s report, and it’s working fine. Please give it a try and let us know.