You can start with the list roles API. If you’re able to write a script, you can fetch all of the roles using that API and then check which ones are enabled
, have a membershipCriteria
of type STANDARD
, and have null
for the membership.identities
attribute. This will tell you which roles have membership criteria but no identities match the criteria. Below is an example of a role that has no members.
{
"description": "WIFI group 1 for employees based in london",
"owner": {
"type": "IDENTITY",
"id": "2c9180867624cbd7017642d8c8c81f67",
"name": "colin.mckibben"
},
"accessProfiles": [],
"membership": {
"type": "STANDARD",
"criteria": {
"operation": "OR",
"key": null,
"stringValue": "",
"children": [
{
"operation": "EQUALS",
"key": {
"type": "IDENTITY",
"property": "attribute.wifiGroup",
"sourceId": ""
},
"stringValue": "London:1",
"children": []
}
]
},
"identities": null
},
"legacyMembershipInfo": null,
"enabled": true,
"requestable": true,
"accessRequestConfig": {
"commentsRequired": false,
"denialCommentsRequired": false,
"approvalSchemes": []
},
"revocationRequestConfig": {
"commentsRequired": false,
"denialCommentsRequired": false,
"approvalSchemes": []
},
"segments": [],
"id": "2c9180857b5fb539017b7829ab9a4903",
"name": "London WIFI 1",
"created": "2021-08-24T12:36:42.010Z",
"modified": "2022-11-08T19:07:18.711Z"
}