SAILPOINT IDENTITY IQ: SQL

Showing posts with label SQL. Show all posts

Monday, October 4, 2021

Sailpoint Identity IQ SQL Query to get the Users Details for Identity Having Multiple Account in same Application

SQL Query to get the Users Having multiple Account in Same Application

Select count(*) ,
SPT_APPLICATION.NAME AS APPLICATION_NAME ,
SPT_IDENTITY.name AS IDENTITY_NAME , 
SPT_IDENTITY.ID AS IDENTITY_ID , 
SPT_APPLICATION.ID AS APPLICATION_ID
from SPT_LINK , SPT_IDENTITY , SPT_APPLICATION 
where 
SPT_IDENTITY.ID=SPT_LINK.IDENTITY_ID and
SPT_APPLICATION.ID=SPT_LINK.APPLICATION and 
SPT_IDENTITY.CORRELATED=1 and 
SPT_APPLICATION.NAME not in ('Active Directory Corp')
--and SPT_IDENTITY.NAME like 'VKEJRIWAL'
group by SPT_IDENTITY.name , SPT_APPLICATION.NAME  ,SPT_IDENTITY.ID , SPT_APPLICATION.ID
HAVING COUNT(*)>1
order by SPT_APPLICATION.NAME ,SPT_IDENTITY.name

Query to get the Status of above Account

SELECT SPT_LINK.NATIVE_IDENTITY ,VIS_TEMP.APPLICATION_NAME,EXP_TEMP.IDENTITY_NAME,
SPT_LINK.DISPLAY_NAME ,EXP_TEMP.IDENTITY_ID,EXP_TEMP.APPLICATION_ID,
EXTRACT(xmltype(ATTRIBUTES),'/Attributes/Map/entry[@key=''IIQDisabled'']/value') AS STATUS
from SPT_LINK , VIS_TEMP
where SPT_LINK.IDENTITY_ID=VIS_TEMP.IDENTITY_ID
and SPT_LINK.APPLICATION=VIS_TEMP.APPLICATION_ID
--and  EXP_TEMP.IDENTITY_NAME like 'VKEJRIWAL'

SQL Query to get Entitlement tied to above Accounts

Select 
VIS_TEMP.APPLICATION_NAME,
VIS_TEMP.IDENTITY_NAME,
SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY,
SPT_IDENTITY_ENTITLEMENT.DISPLAY_NAME,
VIS_TEMP.IDENTITY_ID ,
SPT_MANAGED_ATTRIBUTE.VALUE,

from SPT_IDENTITY_ENTITLEMENT,VIS_TEMP,SPT_MANAGED_ATTRIBUTE, SPT_APPLICATION
where
SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID=VIS_TEMP.IDENTITY_ID
and SPT_MANAGED_ATTRIBUTE.VALUE=SPT_IDENTITY_ENTITLEMENT.VALUE
and SPT_MANAGED_ATTRIBUTE.APPLICATION=SPT_IDENTITY_ENTITLEMENT.APPLICATION
and SPT_APPLICATION.ID=SPT_MANAGED_ATTRIBUTE.APPLICATION
and SPT_APPLICATION.ID=SPT_IDENTITY_ENTITLEMENT.APPLICATION
and SPT_APPLICATION.NAME=VIS_TEMP.APPLICATION_NAME

order by VIS_TEMP.IDENTITY_NAME,VIS_TEMP.APPLICATION_NAME

Thursday, February 13, 2020

Sailpoint IIQ List of Role Mapped for Entitlement API DB Query

SQL to get the list of Business IT Role in Sailpoint IIQ which is mapped for the particular Entitlement

select bun.id,bun.type,bun.name,bun.display_name,bun.requestable,
prof_cons.ELT
from spt_bundle bun,spt_profile profile,spt_profile_constraints prof_cons,spt_bundle_requirements bun_req
where bun.id=profile.bundle_id and
profile.id=prof_cons.profile and
bun_req.child = bun.id
and prof_cons.ELT like '%%'

JAVA API to get the list of Business IT Role in Sailpoint IIQ which is mapped for the particular Entitlement

String appName="Active Directory";
String entitlementName = "CN=blah, etc, etc";
QueryOptions profileQo = new QueryOptions();
profileQo.addFilter(Filter.eq("application.name", appName));

List profiles = context.getObjects(Profile.class, profileQo);
if (profiles != null) {
    for (Object profileObj : profiles) {
        Profile p = (Profile) profileObj;
        List constraints = p.getConstraints();
        List filterList = null;
        if (constraints != null) {
            for (Object filter : constraints) {
                filterList = new ArrayList();
                if (filter instanceof sailpoint.object.Filter.LeafFilter) {
                    sailpoint.object.Filter.LeafFilter f = (sailpoint.object.Filter.LeafFilter) filter;
                    //Filter can have multiple values 
                    Object value = f.getValue();
                    if (value instanceof ArrayList) {
                        ArrayList entitlements = new ArrayList();
                        entitlements = (ArrayList) value;
                        for (Object obj : entitlements) {
                            if (obj.toString().equals(entitlementName)) {
                                Bundle bun = p.getBundle();
                                // Do something with the Bundle here
                            }
                        }
                    }
                }
            }
        }
    }
}

Tuesday, February 11, 2020

Sailpoint IIQ - Item was revoked but has not been removed - Items database query

Many time in certification we see the message "Item was revoked but has not been removed.", this comes when the certifier takes the action on the item and either it get failed (in case of the connected system) or have generated the Workitem or ticket and the file is not aggregated back . below is the query which gives the information of the such items such as the identity , entitlement name , application to which this entitlement belongs , native identity of the user for the application and date on which the certifer took the action .

This query can we further modified to get more information

SELECT 
SPT_IDENTITY.NAME,
SPT_IDENTITY_ENTITLEMENT.VALUE,
SPT_CERTIFICATION_ITEM.EXCEPTION_APPLICATION,
SPT_PROVISIONING_TRANSACTION.STATUS,
SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY,
SPT_CERTIFICATION_ACTION.STATUS,
( To_date('1970-01-01 00', 'yyyy-mm-dd hh24') + ( SPT_CERTIFICATION_ACTION.DECISION_DATE) / 1000 / 60 / 60 / 24 )                    AS "CERT_DECISION_DATE" 
FROM 
  SPT_IDENTITY_ENTITLEMENT,
  SPT_CERTIFICATION_ITEM,
  SPT_CERTIFICATION_ACTION,
  SPT_IDENTITY,
  SPT_APPLICATION,
  SPT_MANAGED_ATTRIBUTE,
  SPT_CERTIFICATION_ENTITY,
  SPT_PROVISIONING_TRANSACTION
WHERE 
CERTIFICATION_ITEM IS NOT NULL
AND SPT_CERTIFICATION_ITEM.ID=SPT_IDENTITY_ENTITLEMENT.CERTIFICATION_ITEM
AND SPT_CERTIFICATION_ACTION.ID=SPT_CERTIFICATION_ITEM.ACTION
AND SPT_CERTIFICATION_ACTION.STATUS='Remediated'
AND SPT_IDENTITY.ID=SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID
AND SPT_CERTIFICATION_ITEM.EXCEPTION_APPLICATION=SPT_APPLICATION.NAME
AND SPT_MANAGED_ATTRIBUTE.APPLICATION=SPT_APPLICATION.ID
AND SPT_MANAGED_ATTRIBUTE.VALUE=SPT_IDENTITY_ENTITLEMENT.VALUE 
AND SPT_CERTIFICATION_ENTITY.TARGET_ID=SPT_IDENTITY.ID 
AND SPT_CERTIFICATION_ENTITY.CERTIFICATION_ID=SPT_PROVISIONING_TRANSACTION.CERTIFICATION_ID 
AND SPT_PROVISIONING_TRANSACTION.SOURCE='Certification' 
AND SPT_PROVISIONING_TRANSACTION.application_NAME=SPT_APPLICATION.NAME 
AND SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY=SPT_PROVISIONING_TRANSACTION.NATIVE_IDENTITY

Sunday, January 12, 2020

Sailpoint Identity IQ SQL Quicklink Dynamic Scope and Quicklink Details

This query is used to get the details about the Quicklink Population (Dynamic Scope) , Quicklink and the condition for each population ,

the scope for the membership criteria and also the scope for the entitlement , Application and Role.

select SPT_DYNAMIC_SCOPE.NAME AS "Quicklink Population",  
SPT_DYNAMIC_SCOPE.DESCRIPTION AS "Quicklink Population Description",
SPT_DYNAMIC_SCOPE.ALLOW_ALL AS "Membership is ALL",
SPT_DYNAMIC_SCOPE.SELECTOR AS "Membership criteria",
SPT_DYNAMIC_SCOPE.POPULATION_REQUEST_AUTHORITY AS "Who can members request for",
SPT_DYNAMIC_SCOPE.ROLE_REQUEST_CONTROL AS "What can request Role",
SPT_DYNAMIC_SCOPE.APPLICATION_REQUEST_CONTROL AS "What can request Application",
SPT_DYNAMIC_SCOPE.MANAGED_ATTR_REQUEST_CONTROL AS "What can request Entitlements",
SPT_QUICK_LINK.NAME AS "Quicklink Name",
SPT_QUICK_LINK.CATEGORY AS "Quicklink Category",
SPT_QUICK_LINK.ACTION AS "Quicklink Action",
SPT_QUICK_LINK.ARGUMENTS,
SPT_QUICK_LINK_OPTIONS.ALLOW_BULK,
SPT_QUICK_LINK_OPTIONS.ALLOW_OTHER,
SPT_QUICK_LINK_OPTIONS.ALLOW_SELF,
SPT_QUICK_LINK_OPTIONS.OPTIONS
from SPT_DYNAMIC_SCOPE , SPT_QUICK_LINK ,SPT_QUICK_LINK_OPTIONS
where SPT_DYNAMIC_SCOPE.id=SPT_QUICK_LINK_OPTIONS.DYNAMIC_SCOPE 
and SPT_QUICK_LINK_OPTIONS.QUICK_LINK=SPT_QUICK_LINK.ID
and SPT_QUICK_LINK.NAME = 'Request Access'

SPT_DYNAMIC_SCOPE - Quicklink Population Deatils

SPT_QUICK_LINK  - Quciklink Details

SPT_QUICK_LINK_OPTIONS - QuickLink options for each quicklink

Monday, September 9, 2019

SQL ACCESS REVIEW CERTIFICATION ACTION ITEMS DETAILS SAILPOINT IDENTITY IQ


This query is used to get the details about the Access Review , Certification which is generated and will give all the details 
for all the items for which the action is already taken.

SELECT SPT_CERTIFICATION.ID AS "CERT_ID",
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (SPT_CERTIFICATION.ACTIVATED) / 1000 / 60 / 60 / 24
   )
   AS "CREATE DATE",
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (SPT_CERTIFICATION.EXPIRATION) / 1000 / 60 / 60 / 24
   )
   AS "EXPIRATION DATE",
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (SPT_CERTIFICATION.SIGNED) / 1000 / 60 / 60 / 24
   )
   AS "SIGNED DATE",
  SPT_CERTIFICATION.SHORT_NAME AS "CERT_NAME",
  SPT_CERTIFICATION_ITEM.SUMMARY_STATUS AS "CERT_STATUS",
  SPT_CERTIFICATION.MANAGER AS "CERT_ASSIGNED_TO_ID",
  SPT_IDENTITY.EMAIL AS "CERT_ASSIGNED_TO_EMAIL",
  SPT_IDENTITY.DISPLAY_NAME AS "CERT_ASSIGNED_TO_NAME",
  
  user2.DISPLAY_NAME AS "MANAGER_DISPLAY_NAME",
  USER2.EMAIL AS "MANAGER_EMAIL",
  
  SPT_CERTIFICATION_ENTITY.TARGET_NAME AS "USER_ID",
  SPT_CERTIFICATION_ENTITY.TARGET_DISPLAY_NAME AS "USER_DISPLAY_NAME",
  SPT_CERTIFICATION_ENTITY.FIRSTNAME AS "USER_FIRST_NAME",
  SPT_CERTIFICATION_ENTITY.LASTNAME AS "USER_LAST_NAME",
  user1.EMAIL AS "USER_EMAIL",
  
  SPT_CERTIFICATION.TOTAL_ENTITIES,
  SPT_CERTIFICATION.EXCLUDED_ENTITIES,
  SPT_CERTIFICATION.COMPLETED_ENTITIES,
  SPT_CERTIFICATION.PERCENT_COMPLETE,
  SPT_CERTIFICATION.CERTIFIED_ENTITIES,
  SPT_CERTIFICATION.TOTAL_ITEMS,
  SPT_CERTIFICATION.EXCLUDED_ITEMS,
  SPT_CERTIFICATION.COMPLETED_ITEMS,
  SPT_CERTIFICATION.ITEM_PERCENT_COMPLETE,
  SPT_CERTIFICATION.CERTIFIED_ITEMS,
  SPT_CERTIFICATION.REMEDIATIONS_KICKED_OFF,
  SPT_CERTIFICATION.REMEDIATIONS_COMPLETED,
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (SPT_CERTIFICATION.MODIFIED) / 1000 / 60 / 60 / 24
   )
   AS "CERT_UPDATE_DATE",
   
  SPT_CERTIFICATION_ITEM.EXCEPTION_APPLICATION AS "ACCOUNT_APPLICATION_NAME",
  SPT_CERTIFICATION_ITEM.EXCEPTION_ATTRIBUTE_NAME AS "RECORD_TYPE",
  SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY AS "ACCOUNT_NAME",
  SPT_CERTIFICATION_ITEM.EXCEPTION_ATTRIBUTE_VALUE AS "ACCOUNT_ENTITLEMENT_NAME",
  SPT_CERTIFICATION_ACTION.STATUS AS "CERT_DECISION",
  SPT_CERTIFICATION_ACTION.DESCRIPTION AS "CERT_DECISION_COMMENTS",
  SPT_CERTIFICATION_ACTION.REMEDIATION_ACTION AS "REMEDIATION_ACTION",
  TO_CHAR(SPT_CERTIFICATION_ACTION.REMEDIATION_DETAILS) AS "REMEDIATION_DETAILS",
   (
      TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (SPT_CERTIFICATION_ACTION.DECISION_DATE) / 1000 / 60 / 60 / 24
   )
   AS "CERT_DECISION_DATE",
  TO_CHAR(Regexp_substr(SPT_CERTIFICATION_ACTION.REMEDIATION_DETAILS, 'requestID="(.*?)"\sstatus', 1, 1, NULL, 1)) AS TICKET,
  TO_CHAR(Regexp_substr(SPT_CERTIFICATION_ACTION.REMEDIATION_DETAILS, 'status="(.*?)"\/', 1, 1, NULL, 1)) AS TICKET_STATUS,
  SPT_CERTIFICATION_ITEM.ACTION AS "ACTION"
FROM SPT_CERTIFICATION_ENTITY,
  SPT_CERTIFICATION,
  SPT_CERTIFICATION_ITEM,
  SPT_IDENTITY,
  SPT_CERTIFICATION_ACTION,
  SPT_IDENTITY user1,
  SPT_IDENTITY user2,
  SPT_IDENTITY_ENTITLEMENT,
  SPT_APPLICATION
WHERE SPT_CERTIFICATION_ENTITY.CERTIFICATION_ID = SPT_CERTIFICATION.ID
  AND SPT_CERTIFICATION_ITEM.CERTIFICATION_ENTITY_ID = SPT_CERTIFICATION_ENTITY.ID
  AND SPT_IDENTITY.NAME = SPT_CERTIFICATION.MANAGER
  AND SPT_CERTIFICATION_ACTION.ID = SPT_CERTIFICATION_ITEM.ACTION
  AND SPT_CERTIFICATION_ENTITY.TARGET_NAME = user1.NAME
  AND user1.MANAGER = user2.ID
  AND SPT_CERTIFICATION_ITEM.EXCEPTION_APPLICATION = SPT_APPLICATION.NAME
  AND SPT_CERTIFICATION_ITEM.EXCEPTION_ATTRIBUTE_VALUE = SPT_IDENTITY_ENTITLEMENT.VALUE
  AND user1.ID = SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID
  AND SPT_APPLICATION.ID = SPT_IDENTITY_ENTITLEMENT.APPLICATION

Friday, August 30, 2019

SQL ACCESS REVIEW CERTIFICATION DETAILS SAILPOINT IDENTITY IQ

This Query can be used to get the Access review details which is assigned to the Reviewer. This will contain the basic information of the Access Review and will not contain any information related to the identity details which is to be reviewed.

SELECT
SPT_CERTIFICATION_DEFINITION.NAME AS "CERTIFICATION DEFINITION NAME",
SHORT_NAME AS "CERTIFICATION NAME",
(
TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (ACTIVATED) / 1000 / 60 / 60 / 24
)
AS "CREATE DATE",
(
TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (EXPIRATION) / 1000 / 60 / 60 / 24
)
AS "EXPIRATION DATE",
(
TO_DATE('1970-01-01 00', 'YYYY-MM-DD HH24') + (SIGNED) / 1000 / 60 / 60 / 24
)
AS "SIGNED DATE",
SPT_CERTIFICATION.MANAGER AS "ASSIGNED TO USER",
SPT_IDENTITY.EMAIL AS "ASSIGNED USER EMAIL",
SPT_CERTIFICATION.TOTAL_ENTITIES AS "TOTAL IDENTITY INCLUDED",
SPT_CERTIFICATION.EXCLUDED_ENTITIES AS "TOTAL IDENTITY EXCLUDED",
SPT_CERTIFICATION.COMPLETED_ENTITIES AS "COUNT ACTION TAKEN ON IDENTITY",
SPT_CERTIFICATION.PERCENT_COMPLETE AS "PERCENTAGE ACTION TAKEN ON IDENTITY",
SPT_CERTIFICATION.CERTIFIED_ENTITIES,
SPT_CERTIFICATION.TOTAL_ITEMS AS "TOTAL ITEMS ASSIGNED",
SPT_CERTIFICATION.EXCLUDED_ITEMS AS "TOTAL ITEMS EXCLUDED",
SPT_CERTIFICATION.COMPLETED_ITEMS AS "COUNT ACTION TAKEN ON ITEM",
SPT_CERTIFICATION.ITEM_PERCENT_COMPLETE AS "PERCENTAGE ACTION TAKEN ON ITEM",
SPT_CERTIFICATION.CERTIFIED_ITEMS,
SPT_CERTIFICATION.REMEDIATIONS_KICKED_OFF,
SPT_CERTIFICATION.REMEDIATIONS_COMPLETED
FROM
SPT_CERTIFICATION,
SPT_IDENTITY,
SPT_CERTIFICATION_GROUPS,
SPT_CERTIFICATION_GROUP,
SPT_CERTIFICATION_DEFINITION
WHERE
SPT_IDENTITY.NAME = SPT_CERTIFICATION.MANAGER
AND SPT_CERTIFICATION_DEFINITION.ID = SPT_CERTIFICATION_GROUP.CERTIFICATION_DEFINITION
AND SPT_CERTIFICATION_GROUP.ID = SPT_CERTIFICATION_GROUPS.GROUP_ID
AND SPT_CERTIFICATION_GROUPS.CERTIFICATION_ID = SPT_CERTIFICATION.ID
AND SPT_CERTIFICATION_DEFINITION.ID = SPT_CERTIFICATION.CERTIFICATION_DEFINITION_ID
AND SPT_CERTIFICATION_GROUP.NAME = '<CERTIFICATION NAME>'

Same Query can be modified and can be used to get the data with more details like extended attribute from Identity and other deatils.

SPT_CERTIFICATION_DEFINITION - Certification Definition
SPT_CERTIFICATION_GROUP - Certification Details
SPT_CERTIFICATION_GROUPS - Link Certification and Access Review
SPT_CERTIFICATION - Access Review details doesn't include the Actioned Identity details

Thursday, August 29, 2019

SQL IDENTITY ENTITLEMENT DETAILS SAILPOINT IDENTITY IQ

This will get list of all the Entitlement details for the particular user

Select SPT_IDENTITY.NAME AS "USER ID" ,SPT_APPLICATION.NAME AS "APPLICATION NAME",
SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY AS "ACCOUNT ID",
SPT_IDENTITY_ENTITLEMENT.VALUE AS "ENTITLEMENT VALUE"
from SPT_IDENTITY_ENTITLEMENT ,
SPT_MANAGED_ATTRIBUTE ,
SPT_APPLICATION ,
SPT_IDENTITY
where
SPT_MANAGED_ATTRIBUTE.APPLICATION=SPT_IDENTITY_ENTITLEMENT.APPLICATION and
SPT_MANAGED_ATTRIBUTE.VALUE = SPT_IDENTITY_ENTITLEMENT.VALUE and
SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID = SPT_IDENTITY.ID and
SPT_APPLICATION.ID=SPT_MANAGED_ATTRIBUTE.APPLICATION and
SPT_IDENTITY.CORRELATED ='1' and
SPT_IDENTITY.NAME=<NAME ATTRIBUTE>

This will get list of all the Entitlement details for the all the user's

Select SPT_IDENTITY.NAME AS "USER ID" ,SPT_APPLICATION.NAME AS "APPLICATION NAME",
SPT_IDENTITY_ENTITLEMENT.NATIVE_IDENTITY AS "ACCOUNT ID",
SPT_IDENTITY_ENTITLEMENT.VALUE AS "ENTITLEMENT VALUE"
from SPT_IDENTITY_ENTITLEMENT ,
SPT_MANAGED_ATTRIBUTE ,
SPT_APPLICATION ,
SPT_IDENTITY
where
SPT_MANAGED_ATTRIBUTE.APPLICATION=SPT_IDENTITY_ENTITLEMENT.APPLICATION and
SPT_MANAGED_ATTRIBUTE.VALUE = SPT_IDENTITY_ENTITLEMENT.VALUE and
SPT_IDENTITY_ENTITLEMENT.IDENTITY_ID = SPT_IDENTITY.ID and
SPT_APPLICATION.ID=SPT_MANAGED_ATTRIBUTE.APPLICATION and

SPT_IDENTITY.CORRELATED ='1' and

Same Query can be modified and can be used to get the data with more details like extended attribute from Entitlement catalog or the Identity Attributes.

SPT_IDENTITY_ENTITLEMENT --> Contain relation between the Identity and Identity Entitlement.
SPT_MANAGED_ATTRIBUTE --> Contains the managed attributes details
SPT_APPLICATION --> Contain the Application related details
SPT_IDENTITY --> Contains all the User Identity Attributes