Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

How can we exclude entitlements that are part of a role from Manager Certification?

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 28 2020 at 18:56 UTC

I need to accomplish following things:

1. During User Manager Certification, I want to exclude those entitlements that are granted as part of an Enterprise Role from the certification list.

2. During the entitlement owner Certification I want to prevent the entitlement owner from revoking an entitlement that was granted as part of a Role.

How can I accomplish this?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
13 REPLIES 13

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 29 2020 at 08:00 UTC

Hi Waman,


A1 for Q1: So in the DB there is an accounts_entitlements table that has a column "AssignedfromRole" which is populated with the rolekey in case if the entitlement is assigned from a role , so while creating the campaign, you need to mention this in the advance query section.


A2 for Q2: In the Entitlement owner certification the certifier (entitlement Owner) from the left panel can decommission the entitlement and based on the decomission action selected while creating campaign it will either inactive the entitlement / Inactive & remove the entitlements from account. The owner is added to entitlement not through role.

In the right panel of entitlement owner campaign, the certifier will certifiy the accounts that have access to the entitlement. So while creating the campaign you can exclude accounts that has the entitlements through roles in the advance query.


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 21 2021 at 06:20 UTC

Hi Brian,


<<

In the right panel of entitlement owner campaign, the certifier will certifiy the accounts that have access to the entitlement. So while creating the campaign you can exclude accounts that has the entitlements through roles in the advance query. 

>>


To achieve above , do you have any sample query which we can use in Advance query of the certification?


Thanks

Devang

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 21 2021 at 19:16 UTC

Devang,


You can try using ae1.assignedfromroles is null or something similar to exclude the accounts/entitlement relationship which were assigned through a role.




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 22 2021 at 18:36 UTC

Hi Avinash,


I want to exclude enttilements which are assigned thru a role in user manager campaign, I used below advanced config, but the campaign is not excluding the entitlements, does this query exclude enttilements assigned via role ?

I also tried adding a value to customproperty attribute on the role and query customproperty1 is null, didn't work.

image



I cannot use ae1.assignedfromroles, because assignedfromrole column is not populated for accounts imported into saviynt and already have these entitlements, it's only populated when the role and associated entitlements provisioned via Saviynt.


Regards,

Raj.

 

 

 

 

 

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 26 2021 at 18:53 UTC

Hi Raj,


The entitlement to the account information is in the account_entitlement1 table. This is the only table in the schema that tells you how the entitlement was assigned to the account, via a rule or a role etc.


Without this information, you willl not be able to launch certification to exclude accounts that were assigned through roles.




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 27 2021 at 16:30 UTC

Avinash,


Thank you for the information, So in this case the only option we have is to update assignedfromrole column in account_entitlement1 table with rolekey, for all entitlements assigned with a role. Is that correct ?


Can we update the assignedfromrole  column, will there be any issues doing so ?


Regards,

Raj.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 28 2021 at 00:54 UTC

Yes Raj, you will have to update the assignedfromroles column. 

This needs to be populated as a comma separated value if the same entitlement is assigned from multiple roles.

for e.g. 

a) If Role A with rolekey 1 has an entitlement B

b) If Role B with roleKey 2 also has the same entititlement B

c) If the User X has the entitlement B assigned from two roles, then the assignedfromroleshould have the value 1,2 i.e their rolekey.



Regards,

Avinash Chhetri


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 2 2021 at 14:17 UTC

Hi Avinash,

 

 

I created a query to update assignedfromrole column, now I’m able to exclude access in user manager campaign which is assigned via Rules and Roles.

 

 

But I’m not able to update the column with second rolekey, can you please help me with the query.

 

 

As I’m using assignedfromrule is null and assignedfromrole is null in the advanced campaign config, is it required to update the column with multiple rolekeys ?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 2 2021 at 18:18 UTC

Hi Raj,


Instead of going with a query, the easier option would be to do a bulk load of the roles via UI.


Request Access for Multiple Users > Action > Bulk Upload Request > Select Role in the drop down


A sample upload file is also available once to traverse to the above location. 


Incase you still want to use the query, you can explore some MYSQL queries/functions that can help you with it.


For your second question, Yes, if the given entitlement is common between two roles, then that entitlement just exists in the account entitlement table once, the assignedfromroles should be a comma separated value to let Saviynt know that the entitlement is assigned to the user as part of two roles. even if 1 role is revoked, the user still need to have acess to the entitlement via the second role.



Note: you need to be uploading the data in ASSIGNEDFROMROLES not ASSIGNEDFROMROLE



Regards,

Avinash Chhetri



This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 10 2021 at 17:10 UTC

Hi Avinash,

 

I was able to update the assignedfromroles column using custom query, I guess assignedfromrole column doesn't allow comma separated values

 

I also tried assigning the roles via Request Access for Multiple Users > Action > Bulk Upload Request but I didn’t work the preview page says role not found. Please refer to screenshot below.


image


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 10 2021 at 22:45 UTC

Raj,


Please validate if the role name is correct, if they are active and the csv file you are using is correct.


Here's a screenshot and a sample that Im able to uplaod.




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 12 2021 at 15:00 UTC

Hi Avinash,

 

I’m confused on which file format should we use for upload, in your sample file comments column says “CSV Upload” and file you attached is in xls format.

 

We’re on version v5.5 SP3.9.15, It only accepts xls format, with other formats (csv, xlsx) it throws below error.


image


And when I upload file in xls format, I get below screen after I click preview, couldn’t find anything in logs.

 

Let me know if I should submit a ticket, is there documentation for this on fresh desk ?


image


Regards,

Raj.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 12 2021 at 17:58 UTC

Hi Raj,


The sample file I provided was validated in v2020.1 and it should work in your environment, provided the information provided in it is correct.

The comment section in the file is just a string, it has nothing to do with the file format to be used for upload.


You should download a sample file from your system and use the one I gave to cross check/validate input data. The information I have has the bare minimum information to make this work.


Here's some links for you to read regarding this functionality.


https://saviynt.freshdesk.com/support/solutions/articles/43000600570

https://saviynt.freshdesk.com/a/solutions/articles/43000638097



Also, this is a forum, it is not public yet but nevertheless a forum. Pease refrain from providing any customer sensitive information incuding the names, url, id/password etc.

Please mask/redact the information before posting.





Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.