Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Implemented the SOD for role conflicts.

Go to solution
vermark
Regular Contributor
Regular Contributor

‎02/16/2023 05:07 AM

Hi Team,


We have implemented the SOD for role conflicts.


Example - Let say we have two roles roleA and roleB. No user is allowed to have both roles assigned to them at the same time. If that is the case, it will be a sod policy violation.


To implement it, we have created two functions, function1 with name as roleA and function2 with name as roleB and added the underlying entitlements from roleA and roleB in function1 and function2 respectively.
Now when I remediated an open violation by removing one of the conflicting access a remove access task was generated, after that task was complete the underlying entitlement was removed from the target, but the role is not removed from user profile in Saviynt.


Please let us know how the role will be removed.

Also is there any other way to implement the sod for conflicting roles.

Labels:
0 Kudos
8 REPLIES 8

Go to solution
ParitaSavla
Saviynt Employee
Saviynt Employee

‎02/16/2023 01:20 PM

You will have to remove the role manually by going to the user --> roles or going to the role --> users as the Role will not get removed in this case.

Go to solution
vermark
Regular Contributor
Regular Contributor
In response to ParitaSavla

‎02/16/2023 08:09 PM

1. When the underlying enetitlements are removed by sod remediation, you cannot remove role manually also beacuse it becomes a placeholder type object and cannot be removed.

2. Removing roles manaully doesn't sounds like a solution to me. It should be fixed by Saviynt.

Also, i am open for suggestions if role sod's can be implemeneted in some other better way.

0 Kudos

Go to solution
ParitaSavla
Saviynt Employee
Saviynt Employee

‎02/17/2023 02:48 PM

The function name is just a logical representation and has no actual relation to the enterprise Role. Looks like there is only 1 ent under role a and 1 ent under role b. So remediating the SoD will only remove entA and not Role A. This is expected behavior. 

If you try removing role from user manually it should work because I have tested that scenario where in the entitlement ( belonging to the role) is removed from the account first, after which one can go ahead and remove the role from the user.

Another option would be to use actionable analytics for deprovision role which can be triggered once the sod is remediated and the entitlement task is complete. Please refer to the below example for actionable analytics and tweak the query as per use case

https://docs.saviyntcloud.com/bundle/EIC-Admin-v2021x/page/Content/Chapter17-EIC-Analytics/Configuri...

Go to solution
vermark
Regular Contributor
Regular Contributor
In response to ParitaSavla

‎02/23/2023 03:34 AM

You got it right we have 1 ent under role a and 1 ent under role b. After remdetiation the entitlement got removed from user account but still we are not able to remove the role. 

We tried both  ways manually and through actionable analytics but still not working.

Is this something environment specific or any other issue? Pls suggest.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star

‎02/19/2023 10:46 PM

You can make actionable report with Remove Role Action to remove role object. Yes it seems not fully furnished solution


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
ParitaSavla
Saviynt Employee
Saviynt Employee

‎02/23/2023 09:58 AM

It needs to be triaged on Freshdesk for logs as the expected behavior is outlined in the above response.

Go to solution
Bharadwaj
Regular Contributor
Regular Contributor

‎04/13/2023 07:22 AM

Hi, we have a similar requirement where we have more than one entitlement in each role. After we ran the detective SoD job, we do not see the option of remediating the complete role, but we see the option to remediate the respective entitlement only. 

We are using V 5.5 SP 3.17. Have we found a solution to this in the newer versions v2023.01 or do we still need to rely on the Actionable Analytics workaround solution? 

Please let me know.

 

Thanks.

0 Kudos

Go to solution
vermark
Regular Contributor
Regular Contributor
In response to Bharadwaj

‎04/13/2023 07:34 AM

We are using the analytics report for this

select distinct u.username, r.role_name
, ru.accountkey as acctKey, at.userkey as userKey, re.ROLEKEY as roleKey, 'Deprovision Role' as Default_Action_For_Analytics
from arstasks at
join role_entitlements re on re.ENTITLEMENT_VALUEKEY = at.ENTITLEMENT_VALUEKEY
join role_user_account ru on ru.USERKEY = at.userkey and ru.rolekey = re.rolekey
join users u on u.userkey = at.userkey
join roles r on r.rolekey = re.rolekey
where at.comments = 'Task Created as part of SOD remediation'
and at.status = 3

0 Kudos
Copyright © 2024 Khoros, LLC