Hi Everyone,
I wanted to remove the entitlement (Test group) Automatically from all identities who currently have it, By executing a scheduled workflow everyday.Can we do that without using a saved search ?
Thanks.
Yes, you can :
- Use workflow schedule trigger
- Search all identities with entitlement search “Test group” with HTTP Action, search endpoint, and filter like :
{
"query": {
"query": "@access((name.exact:\"Test Group\" AND type: \"ENTITLEMENT\"))"
},
"indices": [
"identities"
],
"includeNested": true,
"sort": [
"displayName"
],
"queryResultFilter": {
"includes": [
"id",
"displayName"
],
"excludes": [
"stacktrace"
]
}
}
- Then use loop operator and for each entry use Manage Access to revoke entitlement for each identity
Note: loop cannot have entry greater than 100, so ifyou have many entries,you can condiser this Alternative ways to match the limitation of worflow loop allowing 100 iterations - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
Hi @saikumarS
we can do that ,
And we don’t really need saved search query . You can use the HTTP operation and implement search API as mentioned by @baoussounda .
but things to keep in mind:
- You cannot revoke entitlement if it is not provisioned through RBAC or Birthright
- It should be revocable .
- (Worst case scenario) If there are more than 10K identities expected to return which hold entitlement , it would be a problem as search will result 10K records at max
Thank you
Hi @baoussounda @sidharth_tarlapally
We have many user with Specific Entitlement “Test computer group” ,Workflow is executing properly however, entitlement is not getting removed .
Can you check the workflow and let m know if im missing anything
Thanks
RemoveSMTPGroup20250810 (3).json (2.3 KB)
Hello @saikumarS
Inside of your loop in “Manage Access” you should use :
$.loopThroughIdentities.loopInput.id
Using the filter name "Test computer group" will return every identity that has "Test computer group" in one of its name fields.
There are several name fields in the Identity object (e.g., access, accounts, attributes).
You can try a filter like:
@access((name.exact:\"Test computer group\" AND type: \"ENTITLEMENT\"))
Hi @sidharth_tarlapally @baoussounda ,
RemoveSMTPGroup20250811.json (2.4 KB)
I have updated the same and entitlements are not gettiing removed .
Can you look into it..
Thanks
@saikumarS what the execution log Said ? in your env, is entitlement request is enabled ?
In your manage access request Body you have :
{"accessItems":[{"id":"e7987bfd753f4a3481718cb895cebee2","name":"Test computer group","type":"entitlement"}]}
You should replace with :
[{"id":"e7987bfd753f4a3481718cb895cebee2","name":"Test computer group","type":"ENTITLEMENT"}]
@saikumarS While I see that people have already gave you the solution, I was wondering why you have to do this ?
I mean generally if we want to remove any entitlements, we can do that in one go using certification campaign, if we are removing some entitlements on schedule basis, then there is some process that is assigning these entitlements on regular basis, and if we stop that process, we will not have to do this schedule removal of entitlements…..!!!
You don;t have to answer this question, but I could not help but ask 
Thank you,
Vaibhav
Hello @vdivakar ,
Thanks for taking time to reply, but if you are unsure of the actual requirement, its better to skip commenting. The approach is intentional and based on constrains you may not be aware.
Thank you,
Saikumar
1 Like