Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:01 PM
I want to create actionable report to deprovision access when user doesn't meet the condition.
Those account doesn't meet our current tech rule but the group was assigned before Savyint go-live.
For example, Job code is ABC is for RBAC_O365_E5 group in tech-rule of our savyint
but this user had RBAC_O365_E1 license before Savyint Go-live.
I would like to generate actionable report to remove the RBAC_O365_E1 group since it deson't mett our current birthright rule.
Can anyone advise me what SQL query I need to use?
I read documentation and saw sample query but I still hard to figure out how I can remove specific SG from user.
Thank you
Solved! Go to Solution.
04/12/2022 02:11 PM
Hello,
The documentation is available here with sample queries - https://saviynt.freshdesk.com/support/solutions/articles/43000582519-configuring-allowed-actions#Con...
Also, the schema guide is here - https://saviynt.freshdesk.com/support/solutions/articles/43000521404-saviynt-security-manager-ssm-sc...
Regards,
Saparja
04/12/2022 02:11 PM
Hello. I read those article many times and I made following query but I don't get any result with this query.
Could you please let me know what to modify?
select ev.entitlement_valuekey as entvaluekey, a.accountkey as acctKey, a.name as accName,u.userKey, 'Deprovision Access' as 'Default_Action_For_Analytics'
from entitlement_values ev, entitlement_types et, accounts a, user_accounts u, account_entitlements1 ae1
where ev.entitlement_value='CN=RBAC_O365_E5,XXXXXXXXXXXXXXXXX'
AND ev.entitlementtypekey=et.entitlementtypekey
AND u.ACCOUNTKEY=a.ACCOUNTKEY
AND a.endpointKey = 2
AND (a.customproperty26 like 'Title1%' or a.customproperty26 like 'Title2%');
04/12/2022 02:11 PM
I believe you are trying to remove the RBAC_O365_E1 group from the accounts assigned with it. Is my understanding correct?
04/12/2022 02:11 PM
04/12/2022 02:11 PM
The same logic from the previous report also applies here.
When you try to remove the E1 group your query should have these details:
select ae1.entitlement_valuekey as entvaluekey, ev.ENTITLEMENT_VALUE, ae1.accountkey as acctKey, a.name, 'Deprovision Access' as 'Default_Action_For_Analytics'
from account_entitlements1 ae1, accounts a , entitlement_values ev where a.accountkey = ae1.accountkey and ev.ENTITLEMENT_VALUEKEY=ae1.ENTITLEMENT_VALUEKEY and ev.entitlement_value = 'CN=RBAC_O365_E5,XXXXXXXXXXXXXXXXX';
04/12/2022 02:11 PM
Typo in my last reply. The above query was when you are trying to remove the RBAC_O365_E5 group
04/12/2022 02:11 PM
Thanks for your help! It was very useful