Back to Knowledge Hub
3/7/2026
First Acc
8 Min Read

How to Fetch All Entitlement Attributes Using a Rule in SailPoint IdentityIQ

sailpointsailpoint-identityiqsailpoint-entitlementssailpoint-rulebeanshellidentity-governanceiam

In many real-world scenarios, developers need to retrieve all attributes of a specific entitlement for purposes such as:

  • Access analysis
  • Entitlement validation
  • Custom reporting
  • Governance automation
  • Troubleshooting entitlement configurations

Using a Rule in SailPoint IdentityIQ, developers can easily fetch entitlement details and inspect all associated attributes.

Approach

To retrieve entitlement attributes, we use the following components:

  • QueryOptions – to define search parameters
  • Filter.eq() – to search for a specific entitlement by name
  • context.search() – to query ManagedAttribute objects
  • Iterator – to iterate through the search results
  • Util.flushIterator() – to release resources after iteration

In this example, we search for an entitlement with the name "test" and retrieve its associated attributes.

SailPoint Rule to Fetch Entitlement Attributes

xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
<Rule name="Fetch Entitlement Attributes by Name" language="beanshell">
  <Description>
    Retrieves all attributes of an entitlement with name "test".
  </Description>
  <Source>
    <![CDATA[
import sailpoint.object.*;
import sailpoint.tools.Util;
import java.util.*;

// Define the entitlement name to search for
String entitlementName = "test";

// Create query options with filter on 'value' (assuming name stored in 'value' or 'displayName')
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("value", entitlementName)); // use "displayName" if applicable

// Search for ManagedAttribute objects matching the name
Iterator iterator = context.search(ManagedAttribute.class, qo);

List entitlementAttributes = new ArrayList();

while (iterator.hasNext()) {
    ManagedAttribute ma = (ManagedAttribute) iterator.next();

    // Collect attributes: attribute name and its value
    Map<String, Object> attributes = new HashMap<>();
    attributes.put("displayName", ma.getDisplayName());
    attributes.put("value", ma.getValue());
    attributes.put("description", ma.getDescription("en_US"));

    // Add the attribute info to the list
    entitlementAttributes.add(attributes);
}

Util.flushIterator(iterator);
return entitlementAttributes;
    ]]>
  </Source>
</Rule>
</sailpoint>

How the Rule Works

1. Define the Entitlement Name

java
String entitlementName = "test";

This variable stores the name of the entitlement that we want to retrieve.

2. Create QueryOptions with Filter

java
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("value", entitlementName));

A QueryOptions object is created and a filter is added to search for entitlements whose value matches the specified name.

3. Search ManagedAttribute Objects

java
Iterator iterator = context.search(ManagedAttribute.class, qo);

The

code
context.search()
method queries ManagedAttribute objects, which represent entitlements in SailPoint IdentityIQ.

4. Iterate Through the Results

java
while (iterator.hasNext())

The iterator loops through each entitlement that matches the filter condition.

5. Collect Entitlement Attributes

java
attributes.put("displayName", ma.getDisplayName());
attributes.put("value", ma.getValue());
attributes.put("description", ma.getDescription("en_US"));

The rule extracts key entitlement attributes such as:

  • Display Name
  • Value
  • Description

These attributes are stored in a Map and added to the result list.

6. Flush the Iterator

java
Util.flushIterator(iterator);

Flushing the iterator ensures that system resources are properly released and helps prevent memory issues.

Output

The rule returns a List of Maps containing entitlement attributes.

Example Output

code
displayName : Test Entitlement
value       : test
description : Test entitlement used for access control

Best Practices

When retrieving entitlements in large IdentityIQ environments:

  • Always flush iterators after use
  • Apply filters to reduce query size
  • Avoid loading unnecessary attributes
  • Use pagination for environments with thousands of entitlements

Use Cases

This rule is useful in several scenarios:

Entitlement Analysis

Retrieve entitlement details for security reviews or audits.

Access Governance

Validate entitlement configurations across applications.

Custom Reporting

Generate reports showing entitlement metadata.

IAM Automation

Integrate entitlement data into automation workflows.

Troubleshooting

Inspect entitlement attributes when debugging provisioning or access issues.

Final Thoughts

Fetching entitlement attributes using a rule is a common requirement for SailPoint IdentityIQ developers. By leveraging ManagedAttribute objects,

code
QueryOptions
, and
code
context.search()
, developers can efficiently retrieve entitlement metadata for analysis, reporting, and governance tasks.

Following best practices such as using filters and flushing iterators ensures that the rule performs efficiently even in large enterprise environments.

Tags

code
sailpoint
code
sailpoint-identityiq
code
sailpoint-entitlements
code
sailpoint-rule
code
beanshell
code
identity-governance
code
iam

Empower Your SailPoint Journey

Build, test, and deploy faster than ever with the complete SailSethu automation suite.

Download SailSethu