Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Adding user into new password policy RBAC Group

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 11 2020 at 09:52 UTC

Hello,

I have analystic report to generate to remind people to password reset prior to 15 days of expiration.

A lot of them have old password policy.

Once user changed password in AD and lastpasswordchange attribute is updated, I want to trigger tech rule to add them into RBAC_newpasswordpolicy group.


Could you please help me?


We have validthough attirubte in account which is showing expriation password date

We have lastpasswordchange attribute which is showing last password change date.


Thank you



This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
9 REPLIES 9

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 11 2020 at 12:00 UTC

Basically what I want is to trigger tech rule when Account.'Valid Through' is updated and Datediff(a.validthrough,curdate()) > = 1, assign to RBAC_newpasswordpolicy.


Do I need to use tech-rule to achieve this one?

Or, how can I use provision access in allowed action of analystic report.


Thank you


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 16 2020 at 05:12 UTC

Hello,


You can create an analytics report with 'provision access' allowed action , also mark it as default action in the query based on the validthrough attribute. A sample query -


select ev.entitlement_valuekey as entvaluekey, a.accountkey as acctKey, a.name as accName,u.userKey ,'Provision Access' as 'Default_Action_For_Analytics'

from entitlement_values ev, entitlement_types et, accounts a, user_accounts u

where ev.entitlementtypekey=et.entitlementtypekey

and u.ACCOUNTKEY=a.ACCOUNTKEY

and datediff(a.validthrough,curdate());


The mandatory columns , format of the query and what the 'provision access' does from analytics can be found here - https://saviynt.freshdesk.com/support/solutions/articles/43000582519-configuring-allowed-actions


Next, schedule this analytics control from Run All Analytics Job. While scheduling select the checkbox for default action for analytics

image



The same however cannot be performed from technical rules as these rules are triggered on change of user's profile changes and not account changes.


Regards,

Saparja


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 17 2020 at 05:28 UTC

In given SQL query, how can I assign specific SG group to be assigned ? for exmaple RBAC_password_newpolicy to set assign if user meets the confition in where statement. Thanks

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 17 2020 at 05:45 UTC

I believe 'RBAC_password_newpolicy' group is the entitlement in this case and the same should be mentioned in this part of the query:

ev.entitlement_valuekey as entvaluekey


Regards,

Saparja

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 17 2020 at 05:53 UTC

Sorry, still hard to understand.. could you please give me example in detail?

do i need to define where ev.entitlement_value='CN=RBAC_password_newpolicy%') in where statement?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 17 2020 at 05:55 UTC

How are the details related to 'RBAC_password_newpolicy' stored in Saviynt? Is it stored as an entitlement?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 17 2020 at 05:57 UTC

Yes correct. Entitlement Value is full DN

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 17 2020 at 06:07 UTC

All the entitlements are stored in Sayint in the 'entitlement_values' table. Every entitlement also has a unique 'entitlement_valuekey' associated with it. Check the documentation related to this table from our schema guide here.


Similarly, in your case, the entitlement 'RBAC_password_newpolicy' also has a unique entitlement_valuekey. That is the value you need to provide as part of analytics query.

This is what you can write-


select ev.entitlement_valuekey as entvaluekey, a.accountkey as acctKey, a.name as accName,u.userKey ,'Provision Access' as 'Default_Action_For_Analytics'

from entitlement_values ev, entitlement_types et, accounts a, user_accounts u

where ev.entitlement_value='<<full DN of RBAC_password_newpolicy>>'

ev.entitlementtypekey=et.entitlementtypekey

and u.ACCOUNTKEY=a.ACCOUNTKEY

and datediff(a.validthrough,curdate());







This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 17 2020 at 07:13 UTC

This worked! Thank you

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.