Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/12/2024 08:11 AM
I want to highlight two behaviors I observed when using Actionable Analytics. I’m not sure if there’s something wrong with my SQL query or if it’s an issue with the current version, Saviynt v5.5 SP3.
Before I discuss the issue, here’s my use case and setup:
I have an endpoint called "MWPMFAEXPEMT," which has only one entitlement, "ent1." This entitlement is mapped to another entitlement, "ent2," that belongs to the "Azure AD" endpoint. "MWPMFAEXPEMT" acts as a dummy endpoint (with approvals) just for requesting that one Azure AD group. We have a use case where users cannot be part of this Azure AD group for more than 12 hours.
For that, I created an Actionable Analytics report, and below is my query:
Now, when I run this report, here’s what I am seeing:
As you can see in the image below, the ent2 task is being created against the "MWPMFAEXPEMT" endpoint instead of the Azure AD endpoint. Task 104341 is created correctly with the right endpoint and security system, whereas task 104342 is also being created with the same "MWPMFAEXPEMT" as the endpoint and security system, even though "ent2" does not exist in that endpoint. It should be created under the "Azure AD" endpoint.
Let’s say I discontinue the tasks that are created from Actionable Analytics, as shown below. I am not getting the option to take action again when I rerun the analytic report.
07/12/2024 08:17 AM
07/12/2024 08:57 AM
I want to create a task for Endpoint A, but it should implicitly create a task for Azure AD as well, since the Azure AD entitlement is mapped to the Endpoint A related entitlement.
07/12/2024 10:08 AM
You need to use union for Azure AD Endpoint to create task. analytics will not trigger task for entitlement map
07/12/2024 01:38 PM
Don't you see an anomalous behavior here? Sure, I can do what you're asking (use the union for the Azure AD endpoint to create the task), but that is no longer needed. Whenever a remove access task is created for the actual endpoint (MWPMFAEXEMPT) entitlement (ent1), Saviynt should automatically create the remove access task for the Azure AD entitlement (ent2), which is mapped in the entitlement mapping. I made sure to set true for both 'Dependent Task' and 'Remove Ent Task.'
I see that remove access task for mapped entitlement is getting created, but the anomalous behavior is that instead of creating the task for the Azure AD endpoint, it is creating it for MWPMFAEXEMPT, even though ent2 exists in Azure AD and not in MWPMFAEXEMPT.
07/12/2024 02:24 PM
Yes i do see the issue but validate behavior in latest version
07/17/2024 06:38 AM
@rushikeshvartak I did check the same in EIC v24.2 and we are seeing the same behavior
I see that remove access task for mapped entitlement is getting created, but the anomalous behavior is that instead of creating the task for the Azure AD endpoint, it is creating it for MWPMFAEXEMPT, even though ent2 exists in Azure AD and not in MWPMFAEXEMPT.
07/17/2024 08:50 PM
Raise support ticket for issue