Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:01 PM
Hello,
I have analystic report to generate to remind people to password reset prior to 15 days of expiration.
A lot of them have old password policy.
Once user changed password in AD and lastpasswordchange attribute is updated, I want to trigger tech rule to add them into RBAC_newpasswordpolicy group.
Could you please help me?
We have validthough attirubte in account which is showing expriation password date
We have lastpasswordchange attribute which is showing last password change date.
Thank you
Solved! Go to Solution.
04/12/2022 02:10 PM
Basically what I want is to trigger tech rule when Account.'Valid Through' is updated and Datediff(a.validthrough,curdate()) > = 1, assign to RBAC_newpasswordpolicy.
Do I need to use tech-rule to achieve this one?
Or, how can I use provision access in allowed action of analystic report.
Thank you
04/12/2022 02:10 PM
Hello,
You can create an analytics report with 'provision access' allowed action , also mark it as default action in the query based on the validthrough attribute. A sample query -
select ev.entitlement_valuekey as entvaluekey, a.accountkey as acctKey, a.name as accName,u.userKey ,'Provision Access' as 'Default_Action_For_Analytics'
from entitlement_values ev, entitlement_types et, accounts a, user_accounts u
where ev.entitlementtypekey=et.entitlementtypekey
and u.ACCOUNTKEY=a.ACCOUNTKEY
and datediff(a.validthrough,curdate());
The mandatory columns , format of the query and what the 'provision access' does from analytics can be found here - https://saviynt.freshdesk.com/support/solutions/articles/43000582519-configuring-allowed-actions
Next, schedule this analytics control from Run All Analytics Job. While scheduling select the checkbox for default action for analytics
The same however cannot be performed from technical rules as these rules are triggered on change of user's profile changes and not account changes.
Regards,
Saparja
04/12/2022 02:10 PM
In given SQL query, how can I assign specific SG group to be assigned ? for exmaple RBAC_password_newpolicy to set assign if user meets the confition in where statement. Thanks
04/12/2022 02:10 PM
I believe 'RBAC_password_newpolicy' group is the entitlement in this case and the same should be mentioned in this part of the query:
ev.entitlement_valuekey as entvaluekey
Regards,
Saparja
04/12/2022 02:10 PM
Sorry, still hard to understand.. could you please give me example in detail?
do i need to define where ev.entitlement_value='CN=RBAC_password_newpolicy%') in where statement?
04/12/2022 02:10 PM
How are the details related to 'RBAC_password_newpolicy' stored in Saviynt? Is it stored as an entitlement?
04/12/2022 02:10 PM
Yes correct. Entitlement Value is full DN
04/12/2022 02:11 PM
All the entitlements are stored in Sayint in the 'entitlement_values' table. Every entitlement also has a unique 'entitlement_valuekey' associated with it. Check the documentation related to this table from our schema guide here.
Similarly, in your case, the entitlement 'RBAC_password_newpolicy' also has a unique entitlement_valuekey. That is the value you need to provide as part of analytics query.
This is what you can write-
select ev.entitlement_valuekey as entvaluekey, a.accountkey as acctKey, a.name as accName,u.userKey ,'Provision Access' as 'Default_Action_For_Analytics'
from entitlement_values ev, entitlement_types et, accounts a, user_accounts u
where ev.entitlement_value='<<full DN of RBAC_password_newpolicy>>'
ev.entitlementtypekey=et.entitlementtypekey
and u.ACCOUNTKEY=a.ACCOUNTKEY
and datediff(a.validthrough,curdate());
04/12/2022 02:11 PM
This worked! Thank you