We are trying to improve security related to movers. There is second and third level organization data that we receive into the user data from our HR system. We would like to be able to detect a change on that field and take action on the user's role membership at a later date. These are two acceptable solutions.
- Upon detection of field change, capture current role membership. After 30 days, automatically remove all roles in that captured list except for birthright. (I don't believe this is possible to do)
- After 30 days from a move detected, remove all roles except birthright that have not been requested in the past 30 days.
So far in the brainstorming, the second option seems possibly feasible. I thought with a saviynt to saviynt connection and job, we could possibly query the update history along with dates and role request history to put together a removal list. The only issue is we cannot update roles through user import... is there a way we could accomplish what we are trying to do? What are other customers doing to handle organization moves and access?
For both scenarios you can write an automated actionable analytical control and do this. The idea that you have about the query can be put in a analytical query and make it an actionable control and schedule it to run every day.
Just ensure that the query is optimized to not cause performance issues and / or deadlocks.
@mbinsale I have only seen Deprovision access for analytics that pull in the entitlements. I have not found a way in analytics to remove enterprise roles from users. We wouldn't just be able to remove access from the accounts. Is there a way to remove the actual roles from users in the analytics?