Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/19/2024 01:15 AM - edited 09/19/2024 03:17 AM
Hello,
we need to assign the role_org "entitelments" based on user.employeeclass and we did that by creating technical rules to check the users.employeeclass and assign the right entitlement, however, if the employeeclass is updated for example from 123 to 678. the account will get the new entitlemnts for 678 but the old entitlements for 123 won't be removed, how do i ensure it gets removed?
because if i add deprovision access action in the technical rule i think this will remove all the access the account has right? and the new one for the 678 wouldn't get assigned? cause user should only have one ent only
also is there another way to assign the entitlements for example with a config file that would say if users.employeeclass = "123" then assign to this rule. ?
since i also have a condition where for some users the role_org in not in the employeeclass and i have to compare user attributes if they match with entitelments attributes for example:
users.CUSTOMPROPERTY4 == entitlements.customProperty8
and users.ORGUNITID == entitlements.customProperty9
is there any other way to do it other than if statements or creating many technical rules since there are A LOT ?
Thank you!
09/19/2024 05:14 AM
09/19/2024 06:31 AM
@rushikeshvartak
yes thank you i was already on it and i tried the following in data analyzer it worked:
SELECT
u.userKey AS userKey,
ev.entitlement_valuekey AS entvaluekey,
a.accountkey AS acctKey,
a.name AS accName,
'Provision Access' AS Default_Action_For_Analytics
FROM
users u
JOIN
user_accounts ua ON u.userkey = ua.userkey
JOIN
accounts a ON ua.accountkey = a.accountkey
JOIN
entitlement_values ev ON (
ev.entitlement_value = CASE
WHEN u.employeeclass IN ('123') THEN 'xxxxxxxxxxxxxxxxxxx'
WHEN u.employeeclass IN ('321') THEN 'xxxxxxxxxxxxxxxxx'
END
OR
(ev.customProperty8 = u.CUSTOMPROPERTY4 AND ev.customProperty9 = u.DEPARTMENTNUMBER)
);
but what about removing the entitelments when the employeeclass changes or the other condition?
also would the actionable report be triggered automatically when a new account is created for an exsiting user? or how do we make it automatically triggered when the employeeclass is updated or a new account is created, also does it create an add access task that would be excuted using the provisioning job ?
09/19/2024 06:34 AM
09/19/2024 06:51 AM
@rushikeshvartak
you mean to put the analytics job and the provisioning job in one chain job? there is no way for it to trigger a task creation automatically like user update rules do ?
- can you please provide me with a sample of the UNION query that would be used here ? thank you so much
09/19/2024 10:37 AM
you mean to put the analytics job and the provisioning job in one chain job? there is no way for it to trigger a task creation automatically like user update rules do ? - No
SELECT
u.userKey AS userKey,
ev.entitlement_valuekey AS entvaluekey,
a.accountkey AS acctKey,
a.name AS accName,
'Provision Access' AS Default_Action_For_Analytics
FROM
users u
JOIN
user_accounts ua ON u.userkey = ua.userkey
JOIN
accounts a ON ua.accountkey = a.accountkey
JOIN
entitlement_values ev ON (
ev.entitlement_value = CASE
WHEN u.employeeclass IN ('123') THEN 'xxxxxxxxxxxxxxxxxxx'
WHEN u.employeeclass IN ('321') THEN 'xxxxxxxxxxxxxxxxx'
END
OR
(ev.customProperty8 = u.CUSTOMPROPERTY4 AND ev.customProperty9 = u.DEPARTMENTNUMBER)
)
UNION
SELECT
u.userKey AS userKey,
ev.entitlement_valuekey AS entvaluekey,
a.accountkey AS acctKey,
a.name AS accName,
'Deprovision Access' AS Default_Action_For_Analytics
FROM
users u
JOIN
user_accounts ua ON u.userkey = ua.userkey
JOIN
accounts a ON ua.accountkey = a.accountkey
JOIN
entitlement_values ev ON (
ev.entitlement_value = CASE
WHEN u.employeeclass IN ('123') THEN 'xxxxxxxxxxxxxxxxxxx'
WHEN u.employeeclass IN ('321') THEN 'xxxxxxxxxxxxxxxxx'
END
OR
(ev.customProperty8 = u.CUSTOMPROPERTY4 AND ev.customProperty9 = u.DEPARTMENTNUMBER)
)