I'm working in an environment where IdentityIQ 8.2 is deployed for access management.
I am attempting to return a list of users, based on if they have any one of the entitlements in the provided "whitelist". (i.e. "Show me any user who has entitlement1 or entitlement2 or entitlement3")
I tried to use the Advanced Analytics search function. This does allow you to search for identities based on entitlement, but it function in an "Exclusive AND" logic style where only users who have every single entitlement on your "whitelist" will be returned. I haven't found a way to change this. The Advanced Search type doesn't support searching by entitlement, from what I can tell.
Is there an out of the box way to accomplish this?
You can create the entitlement search with AND and save the result as a Population. You can then change operation="AND" to operation="OR" using the Debug pages.
Example how to search for users who have either of these two AD group memberships (this is a Population saved from Advanced Analytics):
<GroupDefinition indexed="true" name="x" private="true">
<GroupFilter>
<CompositeFilter operation="AND">
<Filter operation="COLLECTION_CONDITION" property="identityEntitlements">
<CollectionCondition>
<CompositeFilter operation="OR">
<CompositeFilter operation="AND">
<Filter operation="EQ" property="application.name" value="AD"/>
<Filter operation="EQ" property="name" value="memberOf"/>
<Filter operation="EQ" property="value" value="{e4ca3ebf-543e-4f19-aa6d-60ebee9968a7}"/>
</CompositeFilter>
<CompositeFilter operation="AND">
<Filter operation="EQ" property="application.name" value="AD"/>
<Filter operation="EQ" property="name" value="memberOf"/>
<Filter operation="EQ" property="value" value="{b263fcce-26e5-4fc8-9ed3-012df6b4c262}"/>
</CompositeFilter>
</CompositeFilter>
</CollectionCondition>
</Filter>
</CompositeFilter>
</GroupFilter>
<Owner>
<Reference class="sailpoint.object.Identity" name="spadmin"/>
</Owner>
</GroupDefinition>