Skip to main content

Entitlements

Use this API to implement and customize entitlement functionality. With this functionality in place, administrators can view entitlements and configure them for use throughout Identity Security Cloud in certifications, access profiles, and roles. Administrators in Identity Security Cloud can then grant users access to the entitlements or configure them so users themselves can request access to the entitlements whenever they need them. With a good approval process, this entitlement functionality allows users to gain the specific access they need on sources quickly and securely.

Entitlements represent access rights on sources. Entitlements are the most granular form of access in Identity Security Cloud. Entitlements are often grouped into access profiles, and access profiles themselves are often grouped into roles, the broadest form of access in Identity Security Cloud.

For example, an Active Directory source in Identity Security Cloud can have multiple entitlements: the first, 'Employees,' may represent the access all employees have at the organization, and a second, 'Developers,' may represent the access all developers have at the organization.

An administrator can then create a broader set of access in the form of an access profile, 'AD Developers' grouping the 'Employees' entitlement with the 'Developers' entitlement.

An administrator can then create an even broader set of access in the form of a role grouping the 'AD Developers' access profile with another profile, 'GitHub Developers,' grouping entitlements for the GitHub source.

When users only need Active Directory employee access, they can request access to the 'Employees' entitlement.

When users need both Active Directory employee and developer access, they can request access to the 'AD Developers' access profile.

When users need both the 'AD Developers' access profile and the 'GitHub Developers' access profile, they can request access to the role grouping both.

Administrators often use roles and access profiles within those roles to manage access so that users can gain access more quickly, but the hierarchy of access all starts with entitlements.

Anywhere entitlements appear, you can select them to find more information about the following:

  • Cloud Access Details: These provide details about the cloud access entitlements on cloud-enabled sources.

  • Permissions: Permissions represent individual units of read/write/admin access to a system.

  • Relationships: These list each entitlement's parent and child relationships.

  • Type: This is the entitlement's type. Some sources support multiple types, each with a different attribute schema.

Identity Security Cloud uses entitlements in many features, including the following:

  • Certifications: Entitlements can be revoked from an identity that no longer needs them.

  • Roles: Roles can group access profiles which themselves group entitlements. You can grant and revoke access on a broad level with roles. Role membership criteria can grant roles to identities based on whether they have certain entitlements or attributes.

  • Access Profiles: Access profiles group entitlements. They are the most important units of access in Identity Security Cloud. Identity Security Cloud uses them in provisioning, certifications, and access requests, and administrators can configure them to grant very broad or very granular access.

You cannot delete entitlements directly from Identity Security Cloud. Entitlements are deleted based on their inclusion in aggregations.

Refer to Deleting Entitlements more information about deleting entitlements.

Refer to Entitlements for more information about entitlements.

All URIs are relative to https://sailpoint.api.identitynow.com/v2024

MethodHTTP requestDescription
New-V2024AccessModelMetadataForEntitlementPOST /entitlements/{id}/access-model-metadata/{attributeKey}/values/{attributeValue}Add metadata to an entitlement.
Remove-V2024AccessModelMetadataFromEntitlementDELETE /entitlements/{id}/access-model-metadata/{attributeKey}/values/{attributeValue}Remove metadata from an entitlement.
Get-V2024EntitlementGET /entitlements/{id}Get an entitlement
Get-V2024EntitlementRequestConfigGET /entitlements/{id}/entitlement-request-configGet Entitlement Request Config
Import-V2024EntitlementsBySourcePOST /entitlements/aggregate/sources/{id}Aggregate Entitlements
Get-V2024EntitlementChildrenGET /entitlements/{id}/childrenList of entitlements children
Get-V2024EntitlementParentsGET /entitlements/{id}/parentsList of entitlements parents
Get-V2024EntitlementsGET /entitlementsGets a list of entitlements.
Update-V2024EntitlementPATCH /entitlements/{id}Patch an entitlement
Send-V2024EntitlementRequestConfigPUT /entitlements/{id}/entitlement-request-configReplace Entitlement Request Config
Reset-V2024SourceEntitlementsPOST /entitlements/reset/sources/{id}Reset Source Entitlements
Update-V2024EntitlementsInBulkPOST /entitlements/bulk-updateBulk update an entitlement list

create-access-model-metadata-for-entitlement

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

Add single Access Model Metadata to an entitlement.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueThe entitlement id.
PathAttributeKeyStringTrueTechnical name of the Attribute.
PathAttributeValueStringTrueTechnical name of the Attribute Value.
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.

Return type

Entitlement

Responses

CodeDescriptionData Type
200OKEntitlement
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "2c91808c74ff913f0175097daa9d59cd" # String | The entitlement id.
$AttributeKey = "iscPrivacy" # String | Technical name of the Attribute.
$AttributeValue = "public" # String | Technical name of the Attribute Value.
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")

# Add metadata to an entitlement.

try {
New-V2024AccessModelMetadataForEntitlement -Id $Id -AttributeKey $AttributeKey -AttributeValue $AttributeValue -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# New-V2024AccessModelMetadataForEntitlement -Id $Id -AttributeKey $AttributeKey -AttributeValue $AttributeValue -XSailPointExperimental $XSailPointExperimental
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling New-V2024AccessModelMetadataForEntitlement"
Write-Host $_.ErrorDetails
}

[Back to top]

delete-access-model-metadata-from-entitlement

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

Remove single Access Model Metadata from an entitlement.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueThe entitlement id.
PathAttributeKeyStringTrueTechnical name of the Attribute.
PathAttributeValueStringTrueTechnical name of the Attribute Value.
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.

Return type

(empty response body)

Responses

CodeDescriptionData Type
200OK
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "2c91808c74ff913f0175097daa9d59cd" # String | The entitlement id.
$AttributeKey = "iscPrivacy" # String | Technical name of the Attribute.
$AttributeValue = "public" # String | Technical name of the Attribute Value.
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")

# Remove metadata from an entitlement.

try {
Remove-V2024AccessModelMetadataFromEntitlement -Id $Id -AttributeKey $AttributeKey -AttributeValue $AttributeValue -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Remove-V2024AccessModelMetadataFromEntitlement -Id $Id -AttributeKey $AttributeKey -AttributeValue $AttributeValue -XSailPointExperimental $XSailPointExperimental
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Remove-V2024AccessModelMetadataFromEntitlement"
Write-Host $_.ErrorDetails
}

[Back to top]

get-entitlement

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

This API returns an entitlement by its ID.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueThe entitlement ID
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.

Return type

Entitlement

Responses

CodeDescriptionData Type
200An entitlementEntitlement
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
404Not Found - returned if the request URL refers to a resource or object that does not existErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "2c91808874ff91550175097daaec161c" # String | The entitlement ID
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")

# Get an entitlement

try {
Get-V2024Entitlement -Id $Id -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Get-V2024Entitlement -Id $Id -XSailPointExperimental $XSailPointExperimental
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024Entitlement"
Write-Host $_.ErrorDetails
}

[Back to top]

get-entitlement-request-config

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

This API returns the entitlement request config for a specified entitlement.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueEntitlement Id
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.

Return type

EntitlementRequestConfig

Responses

CodeDescriptionData Type
200An Entitlement Request ConfigEntitlementRequestConfig
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
404Not Found - returned if the request URL refers to a resource or object that does not existErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "2c91808874ff91550175097daaec161c" # String | Entitlement Id
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")

# Get Entitlement Request Config

try {
Get-V2024EntitlementRequestConfig -Id $Id -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Get-V2024EntitlementRequestConfig -Id $Id -XSailPointExperimental $XSailPointExperimental
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024EntitlementRequestConfig"
Write-Host $_.ErrorDetails
}

[Back to top]

import-entitlements-by-source

deprecated

This endpoint has been deprecated and may be replaced or removed in future versions of the API.

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

Starts an entitlement aggregation on the specified source. Though this endpoint has been deprecated, you can find its Beta equivalent here.

If the target source is a direct connection, then the request body must be empty. You will also need to make sure the Content-Type header is not set. If you set the Content-Type header without specifying a body, then you will receive a 500 error.

If the target source is a delimited file source, then the CSV file needs to be included in the request body. You will also need to set the Content-Type header to multipart/form-data.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueSource Id
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.
CsvFileSystem.IO.FileInfo(optional)The CSV file containing the source entitlements to aggregate.

Return type

LoadEntitlementTask

Responses

CodeDescriptionData Type
202Aggregate Entitlements TaskLoadEntitlementTask
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: multipart/form-data
  • Accept: application/json

Example

$Id = "ef38f94347e94562b5bb8424a56397d8" # String | Source Id
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")
$CsvFile = # System.IO.FileInfo | The CSV file containing the source entitlements to aggregate. (optional)

# Aggregate Entitlements

try {
Import-V2024EntitlementsBySource -Id $Id -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Import-V2024EntitlementsBySource -Id $Id -XSailPointExperimental $XSailPointExperimental -CsvFile $CsvFile
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Import-V2024EntitlementsBySource"
Write-Host $_.ErrorDetails
}

[Back to top]

list-entitlement-children

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

This API returns a list of all child entitlements of a given entitlement.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueEntitlement Id
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.
QueryLimitInt32(optional) (default to 250)Max number of results to return. See V3 API Standard Collection Parameters for more information.
QueryOffsetInt32(optional) (default to 0)Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.
QueryCountBoolean(optional) (default to $false)If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored. Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used. See V3 API Standard Collection Parameters for more information.
QuerySortersString(optional)Sort results using the standard syntax described in V3 API Standard Collection Parameters Sorting is supported for the following fields: id, name, created, modified, type, attribute, value, source.id
QueryFiltersString(optional)Filter results using the standard syntax described in V3 API Standard Collection Parameters Filtering is supported for the following fields and operators: id: eq, in name: eq, in, sw type: eq, in attribute: eq, in value: eq, in, sw source.id: eq, in requestable: eq created: gt, lt, ge, le modified: gt, lt, ge, le

Return type

Entitlement[]

Responses

CodeDescriptionData Type
200List of entitlements children from an entitlementEntitlement[]
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
404Not Found - returned if the request URL refers to a resource or object that does not existErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "2c91808874ff91550175097daaec161c" # String | Entitlement Id
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")
$Limit = 250 # Int32 | Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to 250)
$Offset = 0 # Int32 | Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to 0)
$Count = $true # Boolean | If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to $false)
$Sorters = "name,-modified" # String | Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **id, name, created, modified, type, attribute, value, source.id** (optional)
$Filters = 'attribute eq "memberOf"' # String | Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **name**: *eq, in, sw* **type**: *eq, in* **attribute**: *eq, in* **value**: *eq, in, sw* **source.id**: *eq, in* **requestable**: *eq* **created**: *gt, lt, ge, le* **modified**: *gt, lt, ge, le* (optional)

# List of entitlements children

try {
Get-V2024EntitlementChildren -Id $Id -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Get-V2024EntitlementChildren -Id $Id -XSailPointExperimental $XSailPointExperimental -Limit $Limit -Offset $Offset -Count $Count -Sorters $Sorters -Filters $Filters
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024EntitlementChildren"
Write-Host $_.ErrorDetails
}

[Back to top]

list-entitlement-parents

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

This API returns a list of all parent entitlements of a given entitlement.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueEntitlement Id
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.
QueryLimitInt32(optional) (default to 250)Max number of results to return. See V3 API Standard Collection Parameters for more information.
QueryOffsetInt32(optional) (default to 0)Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.
QueryCountBoolean(optional) (default to $false)If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored. Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used. See V3 API Standard Collection Parameters for more information.
QuerySortersString(optional)Sort results using the standard syntax described in V3 API Standard Collection Parameters Sorting is supported for the following fields: id, name, created, modified, type, attribute, value, source.id
QueryFiltersString(optional)Filter results using the standard syntax described in V3 API Standard Collection Parameters Filtering is supported for the following fields and operators: id: eq, in name: eq, in, sw type: eq, in attribute: eq, in value: eq, in, sw source.id: eq, in requestable: eq created: gt, lt, ge, le modified: gt, lt, ge, le

Return type

Entitlement[]

Responses

CodeDescriptionData Type
200List of entitlements parents from an entitlementEntitlement[]
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
404Not Found - returned if the request URL refers to a resource or object that does not existErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "2c91808c74ff913f0175097daa9d59cd" # String | Entitlement Id
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")
$Limit = 250 # Int32 | Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to 250)
$Offset = 0 # Int32 | Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to 0)
$Count = $true # Boolean | If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to $false)
$Sorters = "name,-modified" # String | Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **id, name, created, modified, type, attribute, value, source.id** (optional)
$Filters = 'attribute eq "memberOf"' # String | Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **name**: *eq, in, sw* **type**: *eq, in* **attribute**: *eq, in* **value**: *eq, in, sw* **source.id**: *eq, in* **requestable**: *eq* **created**: *gt, lt, ge, le* **modified**: *gt, lt, ge, le* (optional)

# List of entitlements parents

try {
Get-V2024EntitlementParents -Id $Id -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Get-V2024EntitlementParents -Id $Id -XSailPointExperimental $XSailPointExperimental -Limit $Limit -Offset $Offset -Count $Count -Sorters $Sorters -Filters $Filters
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024EntitlementParents"
Write-Host $_.ErrorDetails
}

[Back to top]

list-entitlements

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

This API returns a list of entitlements.

This API can be used in one of the two following ways: either getting entitlements for a specific account-id, or getting via use of filters (those two options are exclusive).

Any authenticated token can call this API.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.
QueryAccountIdString(optional)The account ID. If specified, returns only entitlements associated with the given Account. Cannot be specified with the filters, segmented-for-identity, for-segment-ids, or include-unsegmented param(s).
QuerySegmentedForIdentityString(optional)If present and not empty, additionally filters Entitlements to those which are assigned to the Segment(s) which are visible to the Identity with the specified ID. By convention, the value me can stand in for the current user's Identity ID. Cannot be specified with the account-id or for-segment-ids param(s). It is also illegal to specify a value that refers to a different user's Identity.
QueryForSegmentIdsString(optional)If present and not empty, additionally filters Access Profiles to those which are assigned to the Segment(s) with the specified IDs. Cannot be specified with the account-id or segmented-for-identity param(s).
QueryIncludeUnsegmentedBoolean(optional) (default to $true)Whether or not the response list should contain unsegmented Entitlements. If for-segment-ids and segmented-for-identity are both absent or empty, specifying include-unsegmented=false results in an error.
QueryOffsetInt32(optional) (default to 0)Offset into the full result set. Usually specified with limit to paginate through the results. See V3 API Standard Collection Parameters for more information.
QueryLimitInt32(optional) (default to 250)Max number of results to return. See V3 API Standard Collection Parameters for more information.
QueryCountBoolean(optional) (default to $false)If true it will populate the X-Total-Count response header with the number of results that would be returned if limit and offset were ignored. Since requesting a total count can have a performance impact, it is recommended not to send count=true if that value will not be used. See V3 API Standard Collection Parameters for more information.
QuerySortersString(optional)Sort results using the standard syntax described in V3 API Standard Collection Parameters Sorting is supported for the following fields: id, name, created, modified, type, attribute, value, source.id, requestable
QueryFiltersString(optional)Filter results using the standard syntax described in V3 API Standard Collection Parameters Filtering is supported for the following fields and operators: id: eq, in name: eq, in, sw type: eq, in attribute: eq, in value: eq, in, sw source.id: eq, in requestable: eq created: gt, lt, ge, le modified: gt, lt, ge, le owner.id: eq, in

Return type

Entitlement[]

Responses

CodeDescriptionData Type
200List of entitlementsEntitlement[]
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")
$AccountId = "ef38f94347e94562b5bb8424a56397d8" # String | The account ID. If specified, returns only entitlements associated with the given Account. Cannot be specified with the **filters**, **segmented-for-identity**, **for-segment-ids**, or **include-unsegmented** param(s). (optional)
$SegmentedForIdentity = "me" # String | If present and not empty, additionally filters Entitlements to those which are assigned to the Segment(s) which are visible to the Identity with the specified ID. By convention, the value **me** can stand in for the current user's Identity ID. Cannot be specified with the **account-id** or **for-segment-ids** param(s). It is also illegal to specify a value that refers to a different user's Identity. (optional)
$ForSegmentIds = "041727d4-7d95-4779-b891-93cf41e98249,a378c9fa-bae5-494c-804e-a1e30f69f649" # String | If present and not empty, additionally filters Access Profiles to those which are assigned to the Segment(s) with the specified IDs. Cannot be specified with the **account-id** or **segmented-for-identity** param(s). (optional)
$IncludeUnsegmented = $true # Boolean | Whether or not the response list should contain unsegmented Entitlements. If **for-segment-ids** and **segmented-for-identity** are both absent or empty, specifying **include-unsegmented=false** results in an error. (optional) (default to $true)
$Offset = 0 # Int32 | Offset into the full result set. Usually specified with *limit* to paginate through the results. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to 0)
$Limit = 250 # Int32 | Max number of results to return. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to 250)
$Count = $true # Boolean | If *true* it will populate the *X-Total-Count* response header with the number of results that would be returned if *limit* and *offset* were ignored. Since requesting a total count can have a performance impact, it is recommended not to send **count=true** if that value will not be used. See [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters) for more information. (optional) (default to $false)
$Sorters = "name,-modified" # String | Sort results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#sorting-results) Sorting is supported for the following fields: **id, name, created, modified, type, attribute, value, source.id, requestable** (optional)
$Filters = 'attribute eq "memberOf"' # String | Filter results using the standard syntax described in [V3 API Standard Collection Parameters](https://developer.sailpoint.com/idn/api/standard-collection-parameters#filtering-results) Filtering is supported for the following fields and operators: **id**: *eq, in* **name**: *eq, in, sw* **type**: *eq, in* **attribute**: *eq, in* **value**: *eq, in, sw* **source.id**: *eq, in* **requestable**: *eq* **created**: *gt, lt, ge, le* **modified**: *gt, lt, ge, le* **owner.id**: *eq, in* (optional)

# Gets a list of entitlements.

try {
Get-V2024Entitlements -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Get-V2024Entitlements -XSailPointExperimental $XSailPointExperimental -AccountId $AccountId -SegmentedForIdentity $SegmentedForIdentity -ForSegmentIds $ForSegmentIds -IncludeUnsegmented $IncludeUnsegmented -Offset $Offset -Limit $Limit -Count $Count -Sorters $Sorters -Filters $Filters
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Get-V2024Entitlements"
Write-Host $_.ErrorDetails
}

[Back to top]

patch-entitlement

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

This API updates an existing entitlement using JSON Patch syntax.

The following fields are patchable: requestable, privileged, segments, owner, name, description, and manuallyUpdatedFields

When you're patching owner, only owner type and owner id must be provided. Owner name is optional, and it won't be modified. If the owner name is provided, it should correspond to the real name. The only owner type currently supported is IDENTITY.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueID of the entitlement to patch
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.
BodyJsonPatchOperation[]JsonPatchOperation(optional)

Return type

Entitlement

Responses

CodeDescriptionData Type
200Responds with the entitlement as updated.Entitlement
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
404Not Found - returned if the request URL refers to a resource or object that does not existErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: application/json-patch+json
  • Accept: application/json

Example

$Id = "2c91808a7813090a017814121e121518" # String | ID of the entitlement to patch
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")
$JsonPatchOperation = @"{
"op" : "replace",
"path" : "/description",
"value" : "New description"
}"@ # JsonPatchOperation[] | (optional)


# Patch an entitlement

try {
Update-V2024Entitlement -Id $Id -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Update-V2024Entitlement -Id $Id -XSailPointExperimental $XSailPointExperimental -JsonPatchOperation $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Update-V2024Entitlement"
Write-Host $_.ErrorDetails
}

[Back to top]

put-entitlement-request-config

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

This API replaces the entitlement request config for a specified entitlement.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueEntitlement ID
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.
BodyEntitlementRequestConfigEntitlementRequestConfigTrue

Return type

EntitlementRequestConfig

Responses

CodeDescriptionData Type
200Responds with the entitlement request config as updated.EntitlementRequestConfig
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
404Not Found - returned if the request URL refers to a resource or object that does not existErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: application/json
  • Accept: application/json

Example

$Id = "2c91808a7813090a017814121e121518" # String | Entitlement ID
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")
$EntitlementRequestConfig = @"{
"requestCommentsRequired" : false,
"deniedCommentsRequired" : false,
"allowEntitlementRequest" : true,
"grantRequestApprovalSchemes" : "entitlementOwner, sourceOwner, manager, workgroup:2c918084660f45d6016617daa9210584"
}"@

# Replace Entitlement Request Config

try {
$Result = ConvertFrom-JsonToEntitlementRequestConfig -Json $EntitlementRequestConfig
Send-V2024EntitlementRequestConfig -Id $Id -XSailPointExperimental $XSailPointExperimental -EntitlementRequestConfig $Result

# Below is a request that includes all optional parameters
# Send-V2024EntitlementRequestConfig -Id $Id -XSailPointExperimental $XSailPointExperimental -EntitlementRequestConfig $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Send-V2024EntitlementRequestConfig"
Write-Host $_.ErrorDetails
}

[Back to top]

reset-source-entitlements

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

Remove all entitlements from a specific source. To reload the accounts along with the entitlements you removed, you must run an unoptimized aggregation. To do so, use Account Aggregation with disableOptimization = true.

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
PathIdStringTrueID of source for the entitlement reset
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.

Return type

EntitlementSourceResetBaseReferenceDto

Responses

CodeDescriptionData Type
202Entitlement source reset task resultEntitlementSourceResetBaseReferenceDto
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: Not defined
  • Accept: application/json

Example

$Id = "2c91808a7813090a017814121919ecca" # String | ID of source for the entitlement reset
$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")

# Reset Source Entitlements

try {
Reset-V2024SourceEntitlements -Id $Id -XSailPointExperimental $XSailPointExperimental

# Below is a request that includes all optional parameters
# Reset-V2024SourceEntitlements -Id $Id -XSailPointExperimental $XSailPointExperimental
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Reset-V2024SourceEntitlements"
Write-Host $_.ErrorDetails
}

[Back to top]

update-entitlements-in-bulk

experimental

This API is currently in an experimental state. The API is subject to change based on feedback and further testing. You must include the X-SailPoint-Experimental header and set it to true to use this endpoint.

"This API applies an update to every entitlement of the list.\n\nThe
\ number of entitlements to update is limited to 50 items maximum.\n\nThe JsonPatch
\ update follows the JSON Patch standard.
\ allowed operations : **{ \"op\": \"replace\", \"path\": \"/privileged\", \"\ value\": boolean }** **{ \"op\": \"replace\", \"path\": \"/requestable\",\"value\"\ : boolean }**"

API Spec

Parameters

Param TypeNameData TypeRequiredDescription
XSailPointExperimentalStringTrue (default to "true")Use this header to enable this experimental API.
BodyEntitlementBulkUpdateRequestEntitlementBulkUpdateRequestTrue

Return type

(empty response body)

Responses

CodeDescriptionData Type
204No content - indicates the request was successful but there is no content to be returned in the response.
400Client Error - Returned if the request body is invalid.ErrorResponseDto
401Unauthorized - Returned if there is no authorization header, or if the JWT token is expired.ListAccessProfiles401Response
403Forbidden - Returned if the user you are running as, doesn't have access to this end-point.ErrorResponseDto
429Too Many Requests - Returned in response to too many requests in a given period of time - rate limited. The Retry-After header in the response includes how long to wait before trying again.ListAccessProfiles429Response
500Internal Server Error - Returned if there is an unexpected error.ErrorResponseDto

HTTP request headers

  • Content-Type: application/json
  • Accept: application/json

Example

$XSailPointExperimental = "true" # String | Use this header to enable this experimental API. (default to "true")
$EntitlementBulkUpdateRequest = @"{
"entitlementIds" : [ "2c91808a7624751a01762f19d665220d", "2c91808a7624751a01762f19d67c220e", "2c91808a7624751a01762f19d692220f" ],
"jsonPatch" : [ {
"op" : "replace",
"path" : "/privileged",
"value" : false
}, {
"op" : "replace",
"path" : "/requestable",
"value" : false
} ]
}"@

# Bulk update an entitlement list

try {
$Result = ConvertFrom-JsonToEntitlementBulkUpdateRequest -Json $EntitlementBulkUpdateRequest
Update-V2024EntitlementsInBulk -XSailPointExperimental $XSailPointExperimental -EntitlementBulkUpdateRequest $Result

# Below is a request that includes all optional parameters
# Update-V2024EntitlementsInBulk -XSailPointExperimental $XSailPointExperimental -EntitlementBulkUpdateRequest $Result
} catch {
Write-Host $_.Exception.Response.StatusCode.value__ "Exception occurred when calling Update-V2024EntitlementsInBulk"
Write-Host $_.ErrorDetails
}

[Back to top]