Saviynt Forums

BrandonLucas_BF · ‎05/04/2023

If you have 2 enterprise roles with overlapping access, what is the intended effect on access when one of the roles is removed? We saw in our environment this situation and when one of the roles was removed it triggered tasks to remove entitlements that are also present in the enterprise role the user was still part of. Is this normal?

dgandhi · ‎05/04/2023

The overlapping access should not be removed.

Thanks

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

pruthvi_t · ‎05/04/2023

Hi @BrandonLucas_BF ,

When there are enterprise roles with common entitlements and one of roles is revoked, the revoke access tasks will be created for all the entitlements in the role (even for common entitlements). But the tasks for common entitlements will be closed with 'No action required'.

Kindly check in your environment on what's the current behaviour.

Thanks,

Regards,
Pruthvi

BrandonLucas_BF · ‎05/05/2023

We definitely did not experience that. It created the removal tasks and then removed the access. The user was locked out of a few key systems.

Is it possible even though the user is a member of the remaining role that the entitlement was somehow not tied to them being a member of the role in the Saviynt database? Is that was the role mapping repair function is for?

dgandhi · ‎05/05/2023

Can you check below 2 fields for your entitlement?

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

pruthvi_t · ‎05/05/2023

@BrandonLucas_BF ,

As per my last comment, it only happens when assigned from roles column mentioned by @dgandhi has 2 values (role keys of both roles with common entitlements) in the account_entitlements1 table. That's when one of the roles is removed, remove access tasks would be created and the common entitlement tasks will be closed as 'no action required' status.

Once the tasks are processed, the removed role's role key is removed from assigned from roles column.

Thanks,

Regards,
Pruthvi

BrandonLucas_BF · ‎05/08/2023

So, it may be too late to check and validate this because I had to correct the issue for the user which I did by reapplying the role that had the entitlements they needed. Is this article discussing the problem in more detail? Unless I'm misunderstanding, that is what the repair role feature is for.

https://forums.saviynt.com/t5/community-knowledge-base/when-to-use-the-repair-role-to-user-mapping-r...

sai_sp · ‎05/08/2023

@BrandonLucas_BF You can use the role repair/role retrofit feature to fix all the role mappings in your environtment.

In your case looks like the assignedfromroles columns are not populated correctly and hence the common entitlements are getting removed. Please fix the data mappings using this feature and you should not see the issue going forward.

The behaviour should be as what @pruthvi_t has mentioned.

Lets say a user has Role A and Role B. Entitlement E1 is common in both the roles. If Role is A removed, task for E1 will be created but it will move to the status 'no action required' as system identifies E1 to be a part of Role B. This will happen based on the assignedfromroles column in the account_entitlements1 table. So you can run the repair roles feature and the data should be fixed.

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter02-Identity-Repository/Repai...

BrandonLucas_BF · ‎05/08/2023

Thank you. Multiple good answers in this thread so gave kudos to all. Much appreciated.

Saviynt Forums

Overlapping Enterprise Role - effect of removal