I am working on Add/Remove entitlement for web services connector. The way its end point works is that we have to pass all the members who are supposed to have access to the entitlement. e.g. if currently X and Y have access to the entitlement and we want Z to have access, we will have to pass X, Y and Z. I am planning to write a before provisioning rule to search for the accounts having that particular entitlement and use that in JSON response. I am from IIQ background and I know we can use ManagedAttribute and AccountGroupService class in IIQ. But I am not sure how I can do this search in IdentityNow especially when we are not supposed to use getObject type of methods. Can someone please help me figuring this out?