I want to highlight two behaviors I observed when using Actionable Analytics. I’m not sure if there’s something wrong with my SQL query or if it’s an issue with the current version, Saviynt v5.5 SP3.
Before I discuss the issue, here’s my use case and setup:
I have an endpoint called "MWPMFAEXPEMT," which has only one entitlement, "ent1." This entitlement is mapped to another entitlement, "ent2," that belongs to the "Azure AD" endpoint. "MWPMFAEXPEMT" acts as a dummy endpoint (with approvals) just for requesting that one Azure AD group. We have a use case where users cannot be part of this Azure AD group for more than 12 hours.
For that, I created an Actionable Analytics report, and below is my query:
SELECT u.username, ae1.entitlement_valuekey AS entvaluekey, ev.ENTITLEMENT_VALUE, ae1.accountkey AS acctKey, a.name, 'Deprovision Access' AS 'Default_Action_For_Analytics' FROM accounts a JOIN user_accounts ua ON a.accountkey = ua.accountkey JOIN users u ON ua.userkey = u.userkey JOIN endpoints ep ON a.endpointkey = ep.endpointkey JOIN account_entitlements1 ae1 ON a.accountkey = ae1.accountkey JOIN entitlement_values ev ON ae1.entitlement_valuekey = ev.entitlement_valuekey WHERE ep.endpointname = 'MWPMFAExempt' AND a.status IN (1, 'Active', 'Manually Provisioned') AND ev.entitlement_value = 'ent1' AND (DATEDIFF(NOW(), ae1.updatedate) * 24) >= 12
Now, when I run this report, here’s what I am seeing:
Issue #1
As you can see in the image below, the ent2 task is being created against the "MWPMFAEXPEMT" endpoint instead of the Azure AD endpoint. Task 104341 is created correctly with the right endpoint and security system, whereas task 104342 is also being created with the same "MWPMFAEXPEMT" as the endpoint and security system, even though "ent2" does not exist in that endpoint. It should be created under the "Azure AD" endpoint.
Issue #2
Let’s say I discontinue the tasks that are created from Actionable Analytics, as shown below. I am not getting the option to take action again when I rerun the analytic report.
Don't you see an anomalous behavior here? Sure, I can do what you're asking (use the union for the Azure AD endpoint to create the task), but that is no longer needed. Whenever a remove access task is created for the actual endpoint (MWPMFAEXEMPT) entitlement (ent1), Saviynt should automatically create the remove access task for the Azure AD entitlement (ent2), which is mapped in the entitlement mapping. I made sure to set true for both 'Dependent Task' and 'Remove Ent Task.'
I see that remove access task for mapped entitlement is getting created, but the anomalous behavior is that instead of creating the task for the Azure AD endpoint, it is creating it for MWPMFAEXEMPT, even though ent2 exists in Azure AD and not in MWPMFAEXEMPT.
