Gets a list of entitlements.
GET/entitlements
This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.
This API returns a list of entitlements.
This API can be used in one of the two following ways: either getting entitlements for a specific account-id, or getting via use of filters (those two options are exclusive).
Any authenticated token can call this API.
Request
Query Parameters
The account ID. If specified, returns only entitlements associated with the given Account. Cannot be specified with the filters, segmented-for-identity, for-segment-ids, or include-unsegmented param(s).
If present and not empty, additionally filters Entitlements to those which are assigned to the Segment(s) which are visible to the Identity with the specified ID. By convention, the value me can stand in for the current user's Identity ID. Cannot be specified with the account-id or for-segment-ids param(s). It is also illegal to specify a value that refers to a different user's Identity.
If present and not empty, additionally filters Access Profiles to those which are assigned to the Segment(s) with the specified IDs. Cannot be specified with the account-id or segmented-for-identity param(s).
Default value: true
Whether or not the response list should contain unsegmented Entitlements. If for-segment-ids and segmented-for-identity are both absent or empty, specifying include-unsegmented=false results in an error.
Default value: 0
Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.
Possible values: <= 250
Default value: 250
Max number of results to return. See V3 API Standard Collection Parameters for more information.
If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored.
Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used.
See V3 API Standard Collection Parameters for more information.
Sort results using the standard syntax described in V3 API Standard Collection Parameters
Sorting is supported for the following fields: id, name, created, modified, type, attribute, value, source.id, requestable
Filter results using the standard syntax described in V3 API Standard Collection Parameters
Filtering is supported for the following fields and operators:
id: eq, in
name: eq, in, sw
type: eq, in
attribute: eq, in
value: eq, in, sw
source.id: eq, in
requestable: eq
created: gt, lt, ge, le
modified: gt, lt, ge, le
owner.id: eq, in
Header Parameters
Default value: true
Use this header to enable this experimental API.
Responses
- 200
- 400
- 401
- 403
- 429
- 500
List of entitlements
- application/json
- Schema
- Example (from schema)
Schema
Array [
Array [
]
Array [
Array [
]
]
]
The entitlement id
The entitlement name
Time when the entitlement was created
Time when the entitlement was last modified
The entitlement attribute name
The value of the entitlement
The object type of the entitlement from the source schema
True if the entitlement is privileged
True if the entitlement is cloud governed
The description of the entitlement
True if the entitlement is requestable
attributes
object
A map of free-form key-value pairs from the source system
A map of free-form key-value pairs from the source system
source
object
The source ID
The source type, will always be "SOURCE"
The source name
owner
object
Simplified DTO for the owner object of the entitlement
The owner id for the entitlement
The owner name for the entitlement
Possible values: [IDENTITY]
The type of the owner. Initially only type IDENTITY is supported
directPermissions
object[]
All the rights (e.g. actions) that this permission allows on the target
The target the permission would grants rights on.
List of IDs of segments, if any, to which this Entitlement is assigned.
manuallyUpdatedFields
object
Object contains entitlement manually updated fields. Field value is true if is was updated manually via entitlement import csv or patch endpoint. Field value is false if that property value has not been changed after first entitlement aggregation. Values for all manually updatable fields must be specified. For now only two entitlement fields support this: DISPLAY_NAME and DESCRIPTION.
True if the entitlements name was updated manually via entitlement import csv or patch endpoint. False means that property value has not been change after first entitlement aggregation.
Field refers to Entitlement response schema > name property.
True if the entitlement description was updated manually via entitlement import csv or patch endpoint. False means that property value has not been change after first entitlement aggregation.
Field refers to Entitlement response schema > description property.
accessModelMetadata
object
Access Model Metadata (beta).
attributes
object[]
nullable
Technical name of the Attribute. This is unique and cannot be changed after creation.
The display name of the key.
Indicates whether the attribute can have multiple values.
The status of the Attribute.
The type of the Attribute. This can be either "custom" or "governance".
An array of object types this attributes values can be applied to. Possible values are "all" or "entitlement". Value "all" means this attribute can be used with all object types that are supported.
The description of the Attribute.
values
object[]
nullable
Technical name of the Attribute value. This is unique and cannot be changed after creation.
The display name of the Attribute value.
The status of the Attribute value.
[
{
"id": "2c91808874ff91550175097daaec161c",
"name": "LauncherTest2",
"created": "2020-10-08T18:33:52.029Z",
"modified": "2020-10-08T18:33:52.029Z",
"attribute": "memberOf",
"value": "CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local",
"sourceSchemaObjectType": "group",
"privileged": true,
"cloudGoverned": true,
"description": "CN=LauncherTest2,OU=LauncherTestOrg,OU=slpt-automation,DC=TestAutomationAD,DC=local",
"requestable": true,
"attributes": {
"fieldName": "fieldValue"
},
"source": {
"id": "2c9180827ca885d7017ca8ce28a000eb",
"type": "SOURCE",
"name": "ODS-AD-Source"
},
"owner": {
"id": "2a2fdacca5e345f18bf7970cfbb8fec2",
"name": "identity 1",
"type": "IDENTITY"
},
"directPermissions": [
{
"rights": [
"SELECT"
],
"target": "SYS.GV_$TRANSACTION"
}
],
"segments": [
"f7b1b8a3-5fed-4fd4-ad29-82014e137e19",
"29cb6c06-1da8-43ea-8be4-b3125f248f2a"
],
"manuallyUpdatedFields": {
"DISPLAY_NAME": true,
"DESCRIPTION": true
},
"accessModelMetadata": {
"attributes": [
{
"key": "iscPrivacy",
"name": "Privacy",
"multiselect": false,
"status": "active",
"type": "governance",
"objectTypes": [
"all"
],
"description": "Specifies the level of privacy associated with an access item.",
"values": [
{
"value": "public",
"name": "Public",
"status": "active"
}
]
}
]
}
}
]
Client Error - Returned if the request body is invalid.
- application/json
- Schema
- Example (from schema)
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT, REQUEST, null]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT, REQUEST, null]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"error": "JWT validation failed: JWT is expired"
}
Forbidden - Returned if the user you are running as, doesn't have access to this end-point.
- application/json
- Schema
- Example (from schema)
- 403
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT, REQUEST, null]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT, REQUEST, null]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 403 response object
{
"detailCode": "403 Forbidden",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The server understood the request but refuses to authorize it."
}
]
}
Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.
- application/json
- Schema
- Example (from schema)
Schema
A message describing the error
{
"message": " Rate Limit Exceeded "
}
Internal Server Error - Returned if there is an unexpected error.
- application/json
- Schema
- Example (from schema)
- 500
Schema
Array [
]
Array [
]
Fine-grained error code providing more detail of the error.
Unique tracking id for the error.
messages
object[]
Generic localized reason for error
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT, REQUEST, null]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
causes
object[]
Plain-text descriptive reasons to provide additional detail to the text provided in the messages field
The locale for the message text, a BCP 47 language tag.
Possible values: [DEFAULT, REQUEST, null]
An indicator of how the locale was selected. DEFAULT means the locale is the system default. REQUEST means the locale was selected from the request context (i.e., best match based on the Accept-Language header). Additional values may be added in the future without notice.
Actual text of the error message in the indicated locale.
{
"detailCode": "400.1 Bad Request Content",
"trackingId": "e7eab60924f64aa284175b9fa3309599",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
],
"causes": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The request was syntactically correct but its content is semantically invalid."
}
]
}
An example of a 500 response object
{
"detailCode": "500.0 Internal Fault",
"trackingId": "b21b1f7ce4da4d639f2c62a57171b427",
"messages": [
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "An internal fault occurred."
}
]
}