SailPoint IdentityIQ capabilities and sprights matrix
The Case
In SailPoint IdentityIQ, authorizations are controlled using ‘capabilities’ and ‘sprights’. SailPoint itself offers an (regulary) updated version and matrix explaining which capability is assigned to sprights, see SailPoint Compass for reference (SailPoint Compass Access required).
The document mentioned above is very helpful to get an overview on the authorizations ‘out of the box’, but to achieve the same for an already running, implemented and actively operated instance is not that straight forward.
This article describes how to get a (similiar) overview on a live system.
The Goal
Produce a matrix about the currently available capabilities and sprights in your running IdentityIQ Environment.
The Preparation
To produce the matrix, you need to have
- A ‘*nix’ based / compatible system (its a bash script, so any system being able to start this should be fine).
- An actual export of the entities in the IIQ-DB for ‘capabilities’. Exports via iiqconsole or in your DevOps SSD should work.
- The script made available by this article (duh!).
- 10 Minutes (max).
The Implementation
So we assume you have some ’local’ (in respect to the script) directory with all the required files, and we assume you know how to achieve this. But we are happy to help in case of, just contact us.
Next is the bash script below.
#!/bin/bash
# Rights / Capabilities Matrix Creator
#
# bash script to generate a matrix out of Capabilities Definition for SailPoint IIQ
#
# If you want to include the displayName instead of the name attribute for Capabilities,
# replace name="\K[^"]+' with displayName="\K[^"]+' in the capability_name extraction line.
# (c) WedaCon 2025
# Output CSV file
OUTPUT_CSV="capabilities_matrix.csv"
# Directory containing XML files
XML_DIR="/the/path/to../config-extracted/PROD/Capability"
# Temporary files for processing
CAPABILITIES_FILE=$(mktemp)
SPRIGHTS_FILE=$(mktemp)
MATRIX_FILE=$(mktemp)
# Extract all unique Capabilities and SPRight names
echo "Processing XML files in $XML_DIR..."
# Header for CSV: first column is Capability, rest are SPRight names
echo "Capability,"$( \
grep -h '<Reference class="sailpoint.object.SPRight" name="' $XML_DIR/*.xml | \
sed -E 's/.*name="([^"]+)".*/\1/' | \
sort -u | \
tr '\n' ',' | \
sed 's/,$//' \
) > "$OUTPUT_CSV"
# Process each XML file
for xml_file in $XML_DIR/*.xml; do
capability_name=$(grep -oP 'name="\K[^"]+' "$xml_file" | head -1)
echo "Processing Capability: $capability_name"
# Get all SPRight names for this Capability
sprights=$(grep '<Reference class="sailpoint.object.SPRight" name="' "$xml_file" | \
sed -E 's/.*name="([^"]+)".*/\1/')
# Build a row for this Capability
row="$capability_name"
all_sprights=$(grep -h '<Reference class="sailpoint.object.SPRight" name="' $XML_DIR/*.xml | \
sed -E 's/.*name="([^"]+)".*/\1/' | \
sort -u)
for spright in $all_sprights; do
if echo "$sprights" | grep -q "^${spright}\$"; then
row="$row,1"
else
row="$row,"
fi
done
echo "$row" >> "$OUTPUT_CSV"
done
echo "CSV matrix generated at $OUTPUT_CSV"You need to adjust (at least) the path to the directory where your ‘capabilities’ export files do reside. Create a local file with the content and make it executable (chmod +x). Adjust the line which points to the relevant directory. Grab a cup of coffee.
Ready to Go ? Fine, execute the script, it will produce a ‘CSV’ (Create Something Valuable) file, which you can then ‘import’ into Excel. Or just open it using openOffice LibreCalc.
The CSV adds a ‘counter’ to all sprights found per capability, so it might be a good idea to add a counter (SUM Functionality is your friend here), and re-organize the header
Done, you have an actual overview matrix to show the current view on your sprights and capabilities.
The Next Steps
If you have a proper Role and ‘Authorization’ Model in your IDM / IIQ Environment, you should be able to extend this to your current WorkGroup/Role Model assignment (Hint: Loopback Connector). Contact us if you need support on how to set this up.
The Conclusion
Getting an ‘actual’ overview on who can initiate actions in SailPoint IIQ is not straight forward. Using the procedure described here (yes: regulary) can help achiving this goal.