Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/02/2024 04:27 AM
Hi,
We are trying to remove only the Non-birthright access of the user.
Scenario: When user is transferred (user update rule), then we need to check if there any access provisioned apart from the list of birthright access (technical rule) if there is any then remove all the non-birthright access.
We could achieve these using analytics but since we are checking the ars table it applies only for the new user created in Saviynt and not for the Historical users which are Imported from the HR source as part of Full Import.
Analytical Query:
select ae.entitlement_valuekey as entvaluekey,ev.ENTITLEMENT_VALUE,ae.accountkey as acctKey, a.name, 'Deprovision Access' as 'Default_Action_For_Analytics' from USERS U
join user_accounts ua on ua.USERKEY =u.USERKEY
join accounts a on a.ACCOUNTKEY =ua.ACCOUNTKEY
join endpoints e on e.ENDPOINTKEY =a.ENDPOINTKEY
join account_entitlements1 ae on ae.ACCOUNTKEY = a.ACCOUNTKEY
join entitlement_values ev on ev.ENTITLEMENT_VALUEKEY =ae.ENTITLEMENT_VALUEKEY
JOIN arstasks ars on ars.taskkey = ae.arstaskkey
where STR_TO_DATE(U.CUSTOMPROPERTY34, '%Y-%m-%d %H:%i:%s') > date_sub(now(), interval 50 hour) and U.CUSTOMPROPERTY34 is not null and u.statuskey=1 and a.STATUS in ('1','active','Manually Provisioned') and e.ENDPOINTNAME like '%Active Directory%' and ars.source !=
'ZERODAY'
Could anyone please help/assist on how to fix this to include all user identity in Saviynt system when it matches the Transfer condition.
Regards
JS
08/02/2024 05:54 PM
Can you elaborate use case with example
08/02/2024 08:05 PM
Use case : When a user matches the transfer scenario condition then remove all access provisioned to the user except the access provisioned as part of Birthright. (All Access listed in the technical rule)
Joiner: Technical rule 1) - If CP1 = 'ABC','DEF','GHI' - Create AD account and provision a list of access as part of birthright (Group A, Group B, Group C, Group D)
Technical rule 2) If CP2 >=50, -- provision a list of access as part of birthright access (Group E, Group F)
Technical rule 3) If CP2 <=20, -- provision a list of access as part of birthright access.(Group G, Group H)
Transfer : Condition : If CP1 = '123','456','789' - Deprovision all non-birthright access.
List of access provisioned to user when Transfer is Initiated: (Group A, Group B, Group C, Group D, Group E, Group F, Group G, Group H, Group 12, Group 34, Group 56)
Expectation: User should be removed from (Group 12, Group 34, Group 56). i.e. groups which are not part of Technical rule.(Birthright access) and he should remain to have access to Group A, Group B, Group C, Group D, Group E, Group F, Group G, Group H (which is part of birthright access)
Note : We are checking the same attribute to identify Joiner or Transfer user scenario.
Regards
JB
08/03/2024 01:32 AM
08/02/2024 10:55 PM
Hi @jbaskaran , in normal scenario it's other way around.. anyways
Main part would be how will you track the change in cp1 via analytics..
What if you launch a certification?
08/03/2024 04:04 AM
HI @NM, we are checking and storing the details in CP34, that's the value we have it mentioned in an analytics query condition like below:
"UPDATE NEWUSERDATA N1 JOIN CURRENTUSERS C1 ON C1.USERNAME=N1.USERNAME SET N1.CUSTOMPROPERTY34 = (CASE WHEN (C1.CUSTOMPROPERTY4 NOT IN ('XFR','PRO','TAF') AND N1.CUSTOMPROPERTY4 IN ('XFR','PRO','TAF') AND C1.CUSTOMPROPERTY34 IS NULL) THEN NOW() WHEN (C1.CUSTOMPROPERTY4 IN ('XFR','PRO','TAF') AND C1.CUSTOMPROPERTY34 IS NOT NULL AND N1.CUSTOMPROPERTY4 NOT IN ('XFR','PRO','TAF') ) THEN NULL ELSE C1.CUSTOMPROPERTY34 END );",
What if you launch a certification? - Sorry can you please explain in detail what is this ask is all about ?
Regards
JB