and more in a single search tool across platforms. Read the announcement here. |
11/28/2023 01:45 PM
If a user has a role that has three entitlements, and one of the entitlement is removed from AD will Saviynt remove the role from the user? Or will Saviynt keep the role and just remove the entitlement?
Alternatively, will Saviynt try to overwrite what is in AD and attempt to put that entitlement back? If so, is there any way to avoid Saviynt from overwriting what is in AD?
11/28/2023 07:17 PM
Role is saviynt object
If a user has a role that has three entitlements, and one of the entitlement is removed from AD will Saviynt remove the role from the user? - Yes role will remain even all/some of the entitlements get removed.
Or will Saviynt keep the role and just remove the entitlement? - Entitlement will be removed if its removed from AD.
Alternatively, will Saviynt try to overwrite what is in AD and attempt to put that entitlement back? If so, is there any way to avoid Saviynt from overwriting what is in AD? - It will not overwrite and add entitlement back.
11/29/2023 09:22 AM
Is there anything which can be configured to have the role removed if the user is missing entitlements which are inside of the role?
11/29/2023 01:13 PM
You can create analytics report add the entitlement based on role user has.
you can use ootb report for reference
refer role mismatch feature https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter17-EIC-Analytics/Managing-An...
11/30/2023 11:24 AM
I'm reading the Surplus Access portion, but I'm not sure it fits what I'm explicitly asking. I'm wondering if there's a way to remove a role from the user if the user is missing entitlements which are inside of the role? So they have a role and got an entitlement removed but the role remains.. is there a way to remove the role but keep the remaining entitlements?
11/30/2023 08:44 PM
You can create analytics with "Deprovision Role" action for removing roles in case of missing access.
When Deprovision Role is configured as an allowed action, it removes the role from user profile in EIC. This is applicable for enterprise, application and emergency access roles. When this action is performed on a record, a task is created for removing user access for the entitlements associated with the roles.
The Analytics query must have the columns given below:
userkey - Userkey of the user to whom the account is mapped.
acctKey - Accountkey of the account from which the entitlement access will be revoked.
roleKey - Rolekey of the role from which the entitlement access will be revoked.
Sample query:
select r.ROLE_NAME,u.username as name, rua.ROLEKEY as roleKey,rua.ACCOUNTKEY as acctKey, u.USERKEY as userKey,'Deprovision Role' as 'Default_Action_For_Analytics' from role_user_account rua join user_accounts ua on ua.ACCOUNTKEY=rua.ACCOUNTKEY join users u on u.USERKEY = ua.USERKEY join roles r on r.ROLEKEY = rua.ROLEKEY where r.STATUS=1 ;