Untagged entitlement to role report for users

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Experts,

I have to generate a report for the users who has entitlements that are not mapped to any role, i have tried using ps script but not sure whats wrong in this attached the script below for reference.Any idea how can this be achieved

Base URL

$baseUrl = “https://tenant.api.identitynow.com/beta

#OAuth URL as per Tenant
$tokenUrl = “https://tenant.api.identitynow.com/oauth/token
$clientID = “”
$clientSecret = “”

Define export file path:

$DATA_FILE_PATH = “C:/Temp/UntaggedEntitlement&Users.csv”

function Get-AccessToken {
$body = @{
grant_type = “client_credentials”
client_id = $clientID
client_secret = $clientSecret
}

try{

#Make the token Request
$response = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body
return $response.access_token
}
catch{
Write-Error "Error getting access token: $_"
exit
}

}

#get accesstoken
$accessToken = Get-AccessToken

#FUnction to make API Request
function Invoke-ApiRequest {
param (
[String]$Uri,
[String]$Method =“GET”,
[hashtable]$Headers = @{}
)

#set authorization header
$Headers["Authorization"] = "Bearer $accessToken"

try{
#make the http request
$response = Invoke-RestMethod -Uri $Uri -Method $Method -Headers $Headers -ContentType "application/json"
return $response
}
catch {
Write-Error "Error calling API ($Uri): $_"
exit1
}

}

#FUnction to get-all entitlement
function Get-Entitlements {
$uri = “$baseUrl/entitlements”
return Invoke-ApiRequest -Uri $uri
}

#FUnction to get-all roles
function Get-Roles {
$uri = “$baseUrl/roles”
return Invoke-ApiRequest -Uri $uri
}

#FUnction to get-all roles
function Get-UserEntitlements {

param (
    [String]$userId
)
$uri = "$baseUrl/users/$userId/entitlements"
return Invoke-ApiRequest -Uri $uri

}

#FUnction to get-allusers
function Get-Users {

$uri = "$baseUrl/users"
$users = @()

try{
$response = Invoke-ApiRequest -Uri $uri
$users += $response.results

while($response.nextPage) {
$uri = $response.nextPage
$response = Invoke-ApiRequest -Uri $uri
$users +=$response.results
 }
}

catch {
Write-Error "Error getting users: $_"
exit 1
}

return $users
}

#FUnction to find unassociated entitlements
function Find-UnassociatedEntitlements {
#get all entitlements & roles
$entitlements = Get-Entitlements
$roles = Get-Roles

#collect all entitlements associated with roles
$roleEntitlements = @()
foreach($role in $roles) {
 if($role.entitlements) {
   $roleEntitlements  += $role.entitlements
   }
}


#get users and check their entitlements
$users = Get-Users
$unassociatedEntitlements = @()

foreach($user in $users) {
 $userEntitlements  = Get-UserEntitlements -userId $user.id

 foreach($entitlement in $userEntitlements) {
    if($roleEntitlements -notcontains $entitlement) {
      $unassociatedEntitlements +=[PSCustomObject]@{
      UserId = $user.id
      UserName = $user.name
      Entitlement = $entitlements
      }
    }
}

}

return $unassociatedEntitlements

}

$unassociatedReport = Find-UnassociatedEntitlements

$unassociatedReport | Export-Csv -Path $DATA_FILE_PATH -NoTypeInformation

2

Hi Chandra, welcome to the Developer Community!

I would suggest introducing some logging, or if you remember to remove them after development, some global variables so you can investigate what the results of those function calls are.

I’m guessing that two of your functions aren’t working: Get-UserEntitlements and function function Get-Users, because there is no /beta/users endpoint in the API. There is a /beta/identities endpoint, but it won’t include entitlements. For that, you would need to Search for identities and to used includeNested: true in the POST body. I actually wrote a blog post on this, still in draft state.

If you do that, it should save you the two separate calls, because the <Identity>.access array property indicates whether Entitlements are standalone or granted to this Identity as part of a Role or Access Profile.