and more in a single search tool across platforms. Read the announcement here. |
05/04/2023 01:59 PM
If you have 2 enterprise roles with overlapping access, what is the intended effect on access when one of the roles is removed? We saw in our environment this situation and when one of the roles was removed it triggered tasks to remove entitlements that are also present in the enterprise role the user was still part of. Is this normal?
Solved! Go to Solution.
05/04/2023 03:40 PM
The overlapping access should not be removed.
Thanks
05/04/2023 05:05 PM
Hi @BrandonLucas_BF ,
When there are enterprise roles with common entitlements and one of roles is revoked, the revoke access tasks will be created for all the entitlements in the role (even for common entitlements). But the tasks for common entitlements will be closed with 'No action required'.
Kindly check in your environment on what's the current behaviour.
Thanks,
05/05/2023 07:16 AM
We definitely did not experience that. It created the removal tasks and then removed the access. The user was locked out of a few key systems.
Is it possible even though the user is a member of the remaining role that the entitlement was somehow not tied to them being a member of the role in the Saviynt database? Is that was the role mapping repair function is for?
05/05/2023 09:24 AM
Can you check below 2 fields for your entitlement?
05/05/2023 10:34 AM
As per my last comment, it only happens when assigned from roles column mentioned by @dgandhi has 2 values (role keys of both roles with common entitlements) in the account_entitlements1 table. That's when one of the roles is removed, remove access tasks would be created and the common entitlement tasks will be closed as 'no action required' status.
Once the tasks are processed, the removed role's role key is removed from assigned from roles column.
Thanks,
05/08/2023 05:55 AM
So, it may be too late to check and validate this because I had to correct the issue for the user which I did by reapplying the role that had the entitlements they needed. Is this article discussing the problem in more detail? Unless I'm misunderstanding, that is what the repair role feature is for.
05/08/2023 12:01 PM
@BrandonLucas_BF You can use the role repair/role retrofit feature to fix all the role mappings in your environtment.
In your case looks like the assignedfromroles columns are not populated correctly and hence the common entitlements are getting removed. Please fix the data mappings using this feature and you should not see the issue going forward.
The behaviour should be as what @pruthvi_t has mentioned.
Lets say a user has Role A and Role B. Entitlement E1 is common in both the roles. If Role is A removed, task for E1 will be created but it will move to the status 'no action required' as system identifies E1 to be a part of Role B. This will happen based on the assignedfromroles column in the account_entitlements1 table. So you can run the repair roles feature and the data should be fixed.
05/08/2023 12:10 PM
Thank you. Multiple good answers in this thread so gave kudos to all. Much appreciated.