Skip to main content

Find Entitlements

Find entitlements in the identity store. The command uses the PV_ENTITLEMENTS public view to find data. Any filters passed should apply to this public view.

GET https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements

Request

Parameters

findEntitlements
formatproperties - (Default) Returns the response as key=value pairs. When multiple objects are returned, values are comma-delimited: key=value1,value2,value3.

json - Returns the response as JSON.

csv - Returns the response as comma-separated values.

tsv - Returns the response as tab-separated values.

xml - Returns the response as XML.
delimiterThe delimiter to use between values for csv and properties formats
returnColumns

The names of the columns to return. returnColumns may be a CSV list of multiple column names. The parameter may also be listed multiple times (ie returnColumns=col1,col2&returnColumns=col3,col4)

Refer to Columns table below.
returnMaxRowsThe maximum number of objects to return
distincttrue, false Returns only distinct values, equivalent to the distinct keyword in SQL.
sortByColumns

The results will be sorted based on the columns listed using comma as the delimiter if multiple columns are specified.

Refer to Columns table below.
sortDirectionDetermines sorting order. asc for ascending, desc for descending. If not specified, the natural order returned by the database is used.
includeHeaderRowtrue, false Include column headers when the return format is csv or tsv. (Default) true
ignoreCasetrue, false Returns case-insensitive search results for specified filter parameters. (Default) false

Filter Parameters

Any column listed in the Columns table can be passed as a filter parameter to narrow results. Filters are matched against the PV_ENTITLEMENTS public view.

Query logic

ScenarioBehavior
Two different parameters: application_name=Aveksa&ent_type=entAND. Returns entitlements from Aveksa that have type ent.
Same parameter repeated: ent_type=ent&ent_type=groupOR within that field. Returns entitlements with type ent or group.
Mixed: application_name=Aveksa&ent_type=ent&ent_type=group(application is Aveksa) AND (type is ent or group)
OR logic across different parameters is not supported

A single API call cannot return entitlements where application_name=Aveksa OR ent_type=group. OR logic between different filter parameters is not supported.

Workaround: Make separate requests for each filter condition. Merge and deduplicate the results client-side.

Columns

id[Primary Key] Unique entitlement identifier
nameEntitlement name
alt_nameAlternate display name for the entitlement
action_nameAction name component of the entitlement
unique_idExternal unique identifier for the entitlement
ent_typeType of entitlement. Common values: ent, group, app-role, global-role
all_ent_typeAll entitlement types including inherited types
short_descShort description of the entitlement
long_descLong description of the entitlement
url_refURL reference for more information
canrequest1, 0 Whether this entitlement is available for access request
exclude_from_normal_add_accessN, Y Whether this entitlement is excluded from normal add-access workflows
activity_ownersUsers assigned as activity owners for this entitlement
application_id[Foreign Key referencing APPLICATION.ID] Application this entitlement belongs to
application_nameName of the application this entitlement belongs to
application_raw_nameRaw (unformatted) name of the application
app_descriptionDescription of the parent application
app_decommissioning_dateDate the parent application is or was decommissioned
app_is_activeWhether the parent application is currently active
app_backup_business_ownerBackup business owner of the parent application
app_backup_technical_ownerBackup technical owner of the parent application
directory_id[Foreign Key referencing DIRECTORY.ID] Directory this entitlement is loaded from
resource_id[Foreign Key referencing RESOURCE.ID] Resource this entitlement belongs to
resource_nameName of the resource grouping for this entitlement
owner_id[Foreign Key referencing USERS.ID] User ID of the entitlement owner
business_owner[Foreign Key referencing USERS.ID] User ID of the business owner
technical_owner[Foreign Key referencing USERS.ID] User ID of the technical owner
exception_manager[Foreign Key referencing USERS.ID] User ID of the exception manager
business_unit_id[Foreign Key referencing BUSINESS_UNIT.ID] Business unit for this entitlement
ent_external_idExternal identifier from the source system
approle_descriptionDescription when entitlement is an application role
approle_external_idExternal ID when entitlement is an application role
approle_display_nameDisplay name when entitlement is an application role
approle_typeRole type when entitlement is an application role
group_descriptionDescription when entitlement is a group
group_typeType when entitlement is a group
group_technical_locationTechnical location (e.g., DN) when entitlement is a group
group_external_idExternal ID when entitlement is a group
group_backup_ownerBackup owner when entitlement is a group

Headers

Bearer token
Acceptapplication/json
Content-Typeapplication/json

Response

Parameters

The API returns the requested columns specified by returnColumns as output. If returnColumns is unspecified then all columns listed will be returned.

Examples

All columns

Omit returnColumns to return every field for each entitlement.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=json&returnMaxRows=2" \
-H "Authorization: Bearer <token>"

Response

{
"findEntitlements": [
{
"id": "1",
"action_name": "Admin",
"activity_owners": "",
"all_ent_type": "ent",
"alt_name": "Role Collector : Admin",
"application_id": "1",
"application_name": "Aveksa",
"application_raw_name": "Aveksa",
"app_description": "The Aveksa application security",
"business_owner": "",
"business_unit_id": "",
"canrequest": "1",
"directory_id": "1",
"ent_type": "ent",
"exception_manager": "",
"exclude_from_normal_add_access": "N",
"long_desc": "Manage access plus create role collectors. Run all role collectors.",
"name": "Role Collector : Admin",
"owner_id": "",
"resource_id": "25",
"resource_name": "Role Collector",
"short_desc": "",
"technical_owner": "",
"unique_id": "ent1",
"url_ref": "",
"app_decommissioning_date": "",
"app_is_active": "",
"app_backup_business_owner": "",
"app_backup_technical_owner": "",
"approle_description": "",
"approle_external_id": "",
"approle_display_name": "",
"approle_type": "",
"ent_external_id": "",
"group_description": "",
"group_type": "",
"group_technical_location": "",
"group_external_id": "",
"group_backup_owner": ""
},
{
"id": "2",
"action_name": "Edit All",
"activity_owners": "",
"all_ent_type": "ent",
"alt_name": "Role Collector : Edit All",
"application_id": "1",
"application_name": "Aveksa",
"application_raw_name": "Aveksa",
"app_description": "The Aveksa application security",
"business_owner": "",
"business_unit_id": "",
"canrequest": "1",
"directory_id": "1",
"ent_type": "ent",
"exception_manager": "",
"exclude_from_normal_add_access": "N",
"long_desc": "View access plus edit role collectors. Run role collectors.",
"name": "Role Collector : Edit All",
"owner_id": "",
"resource_id": "25",
"resource_name": "Role Collector",
"short_desc": "",
"technical_owner": "",
"unique_id": "ent2",
"url_ref": "",
"app_decommissioning_date": "",
"app_is_active": "",
"app_backup_business_owner": "",
"app_backup_technical_owner": "",
"approle_description": "",
"approle_external_id": "",
"approle_display_name": "",
"approle_type": "",
"ent_external_id": "",
"group_description": "",
"group_type": "",
"group_technical_location": "",
"group_external_id": "",
"group_backup_owner": ""
}
]
}

Specific columns

Use returnColumns to limit the response to the fields you need.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=json&returnMaxRows=3&returnColumns=id,name,application_name,ent_type,resource_name,canrequest" \
-H "Authorization: Bearer <token>"

Response

{
"findEntitlements": [
{
"id": "1",
"name": "Role Collector : Admin",
"application_name": "Aveksa",
"ent_type": "ent",
"resource_name": "Role Collector",
"canrequest": "1"
},
{
"id": "2",
"name": "Role Collector : Edit All",
"application_name": "Aveksa",
"ent_type": "ent",
"resource_name": "Role Collector",
"canrequest": "1"
},
{
"id": "3",
"name": "Role Set : Edit All",
"application_name": "Aveksa",
"ent_type": "ent",
"resource_name": "Role Set",
"canrequest": "1"
}
]
}

Filter by a single value

Pass any column name as a query parameter to filter results. The example returns entitlements where application_name is Aveksa.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=json&returnMaxRows=3&returnColumns=id,name,application_name,ent_type&application_name=Aveksa" \
-H "Authorization: Bearer <token>"

Response

{
"findEntitlements": [
{
"id": "1",
"name": "Role Collector : Admin",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "2",
"name": "Role Collector : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "3",
"name": "Role Set : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
}
]
}

Filter with OR logic

Repeat the same parameter with different values to match any of them. The example returns entitlements where ent_type is ent or group.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=json&returnMaxRows=3&returnColumns=id,name,application_name,ent_type&ent_type=ent&ent_type=group" \
-H "Authorization: Bearer <token>"

Response

{
"findEntitlements": [
{
"id": "1",
"name": "Role Collector : Admin",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "2",
"name": "Role Collector : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "3",
"name": "Role Set : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
}
]
}

Case-insensitive filter

Filters are case-sensitive by default. Set ignoreCase=true to match regardless of case. The example passes ent_type=ENT in uppercase and still returns records with the stored value ent.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=json&returnMaxRows=3&returnColumns=id,name,application_name,ent_type&ent_type=ENT&ignoreCase=true" \
-H "Authorization: Bearer <token>"

Response

{
"findEntitlements": [
{
"id": "1",
"name": "Role Collector : Admin",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "2",
"name": "Role Collector : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "3",
"name": "Role Set : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
}
]
}

Sort ascending

Use sortByColumns with a column name and sortDirection=asc to sort results from lowest to highest. The example sorts by id.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=json&returnMaxRows=3&returnColumns=id,name,application_name,ent_type&sortByColumns=id&sortDirection=asc" \
-H "Authorization: Bearer <token>"

Response

{
"findEntitlements": [
{
"id": "1",
"name": "Role Collector : Admin",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "2",
"name": "Role Collector : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
},
{
"id": "3",
"name": "Role Set : Edit All",
"application_name": "Aveksa",
"ent_type": "ent"
}
]
}

Sort descending

Set sortDirection=desc to reverse the order.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=json&returnMaxRows=3&returnColumns=id,name,application_name,ent_type&sortByColumns=id&sortDirection=desc" \
-H "Authorization: Bearer <token>"

Response

{
"findEntitlements": [
{
"id": "51592",
"name": "People Intelligence Incubator-ProjectTeam",
"application_name": "Entra ID",
"ent_type": "group"
},
{
"id": "51591",
"name": "BDLingo_PROD_BD_Excellence_Office",
"application_name": "Entra ID",
"ent_type": "group"
},
{
"id": "51590",
"name": "Windows - Application - Global Protect VPN 6.3.3 C1016 - NonChina - PILOT",
"application_name": "Entra ID",
"ent_type": "group"
}
]
}

CSV with custom delimiter

Set format=csv for a comma-separated response. Use delimiter to change the separator character.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=csv&returnMaxRows=3&returnColumns=id,name,application_name,ent_type&delimiter=~" \
-H "Authorization: Bearer <token>"

Response

id~name~application_name~ent_type
1~Role Collector : Admin~Aveksa~ent
2~Role Collector : Edit All~Aveksa~ent
3~Role Set : Edit All~Aveksa~ent

CSV without header row

Set includeHeaderRow=false when your downstream system expects raw data rows without a header.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findEntitlements&format=csv&returnMaxRows=3&returnColumns=id,name,application_name,ent_type&includeHeaderRow=false" \
-H "Authorization: Bearer <token>"

Response

1,Role Collector : Admin,Aveksa,ent
2,Role Collector : Edit All,Aveksa,ent
3,Role Set : Edit All,Aveksa,ent

Error responses

A 401 is returned when the token is missing, invalid, or expired. A 412 is returned when returnColumns includes a column name that does not exist in the PV_ENTITLEMENTS public view.

<html>
<head><title>Error</title></head>
<body>The token is not valid for the command 'findEntitlements'. Token is invalid or expired</body>
</html>

Verified with RSA Governance & Lifecycle version 8.0.0.188886 P10_HF01.