Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Need to deprovision role via analytics for the entitlements which are not present for user

SeemaDas
New Contributor III
New Contributor III

Hello Team,

        For one of the application we are provisioning access to user via application and enterprise role. As per requirement user should have only one role at a time. When user requests for 1 application role and 1 enterprise role and if both requests are approved, then user profile shows both roles whereas only 1 entitlement is showing in entitlement hierarchy.

So, we need to deprovision the role for which user do not hold any entitlement. I need the role and entitlement table relationship to create a query for analytics.

Basically, the query should check for user's entitlements and roles and if the entitlement and role does not match, then it should create "Deprovision Role" task.

Any help is appreciated. Thanks.

 

Regards,

Seema Das 

10 REPLIES 10

naveenss
All-Star
All-Star

Hi @SeemaDas  please find the sample below. 

SELECT 
    u.userkey AS userKey,
    u.username,
    r.role_name AS 'Role Name',
    r.rolekey AS roleKey,
    a.name AS 'Account Name',
    a.accountkey AS acctKey,
    SYSDATE(),
    'Deprovision Role' AS 'Default_Action_For_Analytics'
FROM
    users u
        INNER JOIN
    user_accounts ua ON ua.userkey = u.userkey
        INNER JOIN
    accounts a ON a.accountkey = ua.accountkey
        INNER JOIN
    endpoints ed ON ed.endpointkey = a.endpointkey
        INNER JOIN
    role_user_account rua ON rua.userkey = u.userkey
        AND rua.accountkey = a.accountkey
        INNER JOIN
    roles r ON r.rolekey = rua.rolekey
        AND r.endpointkey = ed.endpointkey
WHERE
    ed.endpointname = 'endpointname'

Let me know if this helps!

 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

SeemaDas
New Contributor III
New Contributor III

@naveenss Hi Naveen,

 Though query does not have any error, it is not showing the expected search result. I am expecting the user list for which the entitlement and role does not match.

For ex: 

Users:                 user1     user2

Entitlements:   A              A

Roles:                 A and B

So, the query should return user1 and user2 as they hold only entitlement A, so they should have only role A.

role B should present for deprovision role task as user do not hold corresponding entitlement B

Hope I explained the requirement properly.

Hi @SeemaDas the above sample query was just for reference to create an actionable analytics to deprovision role. The conditions for your requirement must be included into the query. Let me know if you need any help in framing that. 

 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

You can’t De provision role if there are no entitlements tagged to account from role. There should one entitlement tagged to account. Task always created bases on entitlement hence its working as expected 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak  If this is the case, there is no way to clean the roles for which user do not hold entitlement as at Saviynt end we can still see the requested roles? And I assumed such roles will not be part of the certification as well, correct OR Do I need to take any steps to include only associated roles for certification? I observed that even though the role owner campaign has (Decommision Role and remove user from role) action, the role still shows for user though user is in "inactive/suspended from import" status.

This is known limitation upvoting the idea can help

https://ideas.saviynt.com/ideas/EIC-I-2392


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

naveenss
All-Star
All-Star

In addition to the above sample, to check the entitlement association, please use account_entitlements1 and role_entitlements table.

 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

SeemaDas
New Contributor III
New Contributor III

Hello Team,

    I tried following scenario

1) User had enterprise RoleA with entitlement A on 4 different security system
2) Then he requested for RoleB with entitlement B on 4 different security system
3) On user profile, he has entitlement B on 4 endpoints
4) In roles, it was still showing RoleA and RoleB
5) I removed RoleA  using user profile-->remove role from UI as there is no entitlement for RoleA present now
6) After approval, the Role got removed by creating remove access task

So, I am trying to find out such users for which 2 roles present but corresponding entitlement not present. Is there any way to achieve it via analytics query?

entitlement A on 4 different security system How this can be possible ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

You can build query based on below tables and columns

  • role_user_Accounts --> Role to User mapping (user currently will have this roles)
  • account_entitlements1 --> Assignedfromroles flag ( this will confirm if any entitlements from roles are assigned to account or not)

based on above two tables you should be able to fetch required info


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.