Skip to main content

Find User Entitlements

Find user-to-entitlement relationships in the identity store. The command uses the PV_USER_DIRECT_ENTITLEMENT public view to find data. Any filters passed should apply to this public view.

GET https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements

Request

Parameters

findUserEntitlements
formatproperties - (Default) Returns the response as key=value pairs. When multiple objects are returned, values are comma-delimited: key=value1,value2,value3.

json - Returns the response as JSON.

csv - Returns the response as comma-separated values.

tsv - Returns the response as tab-separated values.

xml - Returns the response as XML.
delimiterThe delimiter to use between values for csv and properties formats
returnColumns

The names of the columns to return. returnColumns may be a CSV list of multiple column names. The parameter may also be listed multiple times (ie returnColumns=col1,col2&returnColumns=col3,col4)

Refer to Columns table below.
returnMaxRowsThe maximum number of objects to return
distincttrue, false Returns only distinct values, equivalent to the distinct keyword in SQL.
sortByColumns

The results will be sorted based on the columns listed using comma as the delimiter if multiple columns are specified.

Refer to Columns table below.
sortDirectionDetermines sorting order. asc for ascending, desc for descending. If not specified, the natural order returned by the database is used.
includeHeaderRowtrue, false Include column headers when the return format is csv or tsv. (Default) true
ignoreCasetrue, false Returns case-insensitive search results for specified filter parameters. (Default) false

Filter Parameters

Any column listed in the Columns table can be passed as a filter parameter to narrow results. Filters are matched against the PV_USER_DIRECT_ENTITLEMENT public view.

Query logic

ScenarioBehavior
Two different parameters: entitlement_type=Entitlement&application_name=AveksaAND. Returns Aveksa entitlements only.
Same parameter repeated: entitlement_type=Entitlement&entitlement_type=GlobalRoleOR within that field. Returns entitlements of type Entitlement or GlobalRole.
Mixed: application_name=Aveksa&entitlement_type=Entitlement&entitlement_type=GlobalRole(application_name is Aveksa) AND (entitlement_type is Entitlement or GlobalRole)
OR logic across different parameters is not supported

A single API call cannot return entitlements where entitlement_type=Entitlement OR application_name=Aveksa. OR logic between different filter parameters is not supported.

Workaround: Make separate requests for each filter condition. Merge and deduplicate the results client-side.

Columns

user_id[Foreign Key referencing USERS.ID] User who holds this entitlement. System users (negative IDs) represent non-human identities such as service accounts or role definitions.
entitlement_id[Foreign Key referencing the entitlement] ID of the entitlement, role, or group
entitlement_typeType of entitlement. Known values: Entitlement, GlobalRole, ApplicationRole
entitlement_nameDisplay name of the entitlement
raw_entitlement_nameRaw name as collected from the source system, before any normalization
application_id[Foreign Key referencing the Application] Application the entitlement belongs to. Empty for GlobalRole types.
application_nameName of the application. Empty for GlobalRole types.

Headers

Bearer token
Acceptapplication/json
Content-Typeapplication/json

Response

Parameters

The API returns the requested columns specified by returnColumns as output. If returnColumns is unspecified then all columns listed will be returned.

Examples

All columns

Omit returnColumns to return every field for each user entitlement.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=json&returnMaxRows=2" \
-H "Authorization: Bearer <token>"

Response

{
"findUserEntitlements": [
{
"user_id": "-3",
"entitlement_id": "6764",
"entitlement_type": "GlobalRole",
"entitlement_name": "Test Role 3",
"raw_entitlement_name": "Test Role 3",
"application_id": "",
"application_name": ""
},
{
"user_id": "0",
"entitlement_id": "37",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : Run Reports",
"raw_entitlement_name": "Report Result:Run Reports",
"application_id": "1",
"application_name": "Aveksa"
}
]
}

Specific columns

Use returnColumns to limit the response to the fields you need.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=json&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name,application_name" \
-H "Authorization: Bearer <token>"

Response

{
"findUserEntitlements": [
{
"user_id": "-3",
"entitlement_id": "6764",
"entitlement_type": "GlobalRole",
"entitlement_name": "Test Role 3",
"application_name": ""
},
{
"user_id": "0",
"entitlement_id": "37",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : Run Reports",
"application_name": "Aveksa"
},
{
"user_id": "0",
"entitlement_id": "82",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Definition : Run Reports",
"application_name": "Aveksa"
}
]
}

Filter by a single value

Pass any column name as a query parameter to filter results. The example returns entitlements where entitlement_type is Entitlement.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=json&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name,application_name&entitlement_type=Entitlement" \
-H "Authorization: Bearer <token>"

Response

{
"findUserEntitlements": [
{
"user_id": "0",
"entitlement_id": "37",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : Run Reports",
"application_name": "Aveksa"
},
{
"user_id": "0",
"entitlement_id": "82",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Definition : Run Reports",
"application_name": "Aveksa"
},
{
"user_id": "0",
"entitlement_id": "308",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : View Report Results",
"application_name": "Aveksa"
}
]
}

Filter with OR logic

Repeat the same parameter with different values to match any of them. The example returns entitlements where entitlement_type is Entitlement or GlobalRole.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=json&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name,application_name&entitlement_type=Entitlement&entitlement_type=GlobalRole" \
-H "Authorization: Bearer <token>"

Response

{
"findUserEntitlements": [
{
"user_id": "-3",
"entitlement_id": "6764",
"entitlement_type": "GlobalRole",
"entitlement_name": "Test Role 3",
"application_name": ""
},
{
"user_id": "0",
"entitlement_id": "37",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : Run Reports",
"application_name": "Aveksa"
},
{
"user_id": "0",
"entitlement_id": "82",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Definition : Run Reports",
"application_name": "Aveksa"
}
]
}

Case-insensitive filter

Filters are case-sensitive by default. Set ignoreCase=true to match regardless of case. The example passes entitlement_type=entitlement in lowercase and still returns records with the stored value Entitlement.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=json&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name&entitlement_type=entitlement&ignoreCase=true" \
-H "Authorization: Bearer <token>"

Response

{
"findUserEntitlements": [
{
"user_id": "0",
"entitlement_id": "37",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : Run Reports"
},
{
"user_id": "0",
"entitlement_id": "82",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Definition : Run Reports"
},
{
"user_id": "0",
"entitlement_id": "308",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : View Report Results"
}
]
}

Sort ascending

Use sortByColumns with a column name and sortDirection=asc to sort results from lowest to highest. The example sorts by user_id.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=json&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name&sortByColumns=user_id&sortDirection=asc" \
-H "Authorization: Bearer <token>"

Response

{
"findUserEntitlements": [
{
"user_id": "-3",
"entitlement_id": "6764",
"entitlement_type": "GlobalRole",
"entitlement_name": "Test Role 3"
},
{
"user_id": "0",
"entitlement_id": "37",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Result : Run Reports"
},
{
"user_id": "0",
"entitlement_id": "82",
"entitlement_type": "Entitlement",
"entitlement_name": "Report Definition : Run Reports"
}
]
}

Sort descending

Set sortDirection=desc to reverse the order.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=json&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name&sortByColumns=user_id&sortDirection=desc" \
-H "Authorization: Bearer <token>"

Response

{
"findUserEntitlements": [
{
"user_id": "51226",
"entitlement_id": "350",
"entitlement_type": "ApplicationRole",
"entitlement_name": "PS Administrator"
},
{
"user_id": "50632",
"entitlement_id": "350",
"entitlement_type": "ApplicationRole",
"entitlement_name": "PS Administrator"
},
{
"user_id": "50632",
"entitlement_id": "362",
"entitlement_type": "ApplicationRole",
"entitlement_name": "System Administrator"
}
]
}

CSV with custom delimiter

Set format=csv for a comma-separated response. Use delimiter to change the separator character.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=csv&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name&delimiter=~" \
-H "Authorization: Bearer <token>"

Response

user_id~entitlement_id~entitlement_type~entitlement_name
-3~6764~GlobalRole~Test Role 3
0~37~Entitlement~Report Result : Run Reports
0~82~Entitlement~Report Definition : Run Reports

CSV without header row

Set includeHeaderRow=false when your downstream system expects raw data rows without a header.

Request

curl -K -X GET \
"https://instance.securid.com/aveksa/command.submit?cmd=findUserEntitlements&format=csv&returnMaxRows=3&returnColumns=user_id,entitlement_id,entitlement_type,entitlement_name&includeHeaderRow=false" \
-H "Authorization: Bearer <token>"

Response

-3,6764,GlobalRole,Test Role 3
0,37,Entitlement,Report Result : Run Reports
0,82,Entitlement,Report Definition : Run Reports

Error responses

A 401 is returned when the token is missing, invalid, or expired. A 412 is returned when returnColumns includes a column name that does not exist in the PV_USER_DIRECT_ENTITLEMENT public view.

<html>
<head><title>Error</title></head>
<body>The token is not valid for the command 'findUserEntitlements'. Token is invalid or expired</body>
</html>

Verified with RSA Governance & Lifecycle version 8.0.0.188886 P10_HF01.