Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Remove all Non-birthright access

jbaskaran
Regular Contributor
Regular Contributor

Hi,

We are trying to remove only the Non-birthright access of the user.

Scenario: When user is transferred (user update rule), then we need to check if there any access provisioned apart from the list of birthright access (technical rule) if there is any then remove all the non-birthright access.

We could achieve these using analytics but since we are checking the ars table it applies only for the new user created in Saviynt and not for the Historical users which are Imported from the HR source as part of Full Import.

Analytical Query:

select ae.entitlement_valuekey as entvaluekey,ev.ENTITLEMENT_VALUE,ae.accountkey as acctKey, a.name, 'Deprovision Access' as 'Default_Action_For_Analytics' from USERS U
join user_accounts ua on ua.USERKEY =u.USERKEY
join accounts a on a.ACCOUNTKEY =ua.ACCOUNTKEY
join endpoints e on e.ENDPOINTKEY =a.ENDPOINTKEY
join account_entitlements1 ae on ae.ACCOUNTKEY = a.ACCOUNTKEY
join entitlement_values ev on ev.ENTITLEMENT_VALUEKEY =ae.ENTITLEMENT_VALUEKEY
JOIN arstasks ars on ars.taskkey = ae.arstaskkey
where STR_TO_DATE(U.CUSTOMPROPERTY34, '%Y-%m-%d %H:%i:%s') > date_sub(now(), interval 50 hour) and U.CUSTOMPROPERTY34 is not null and u.statuskey=1 and a.STATUS in ('1','active','Manually Provisioned') and e.ENDPOINTNAME like '%Active Directory%' and ars.source !=
'ZERODAY'

Could anyone please help/assist on how to fix this to include all user identity in Saviynt system when it matches the Transfer condition.

Regards

JS

5 REPLIES 5

rushikeshvartak
All-Star
All-Star

Can you elaborate use case with example


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

jbaskaran
Regular Contributor
Regular Contributor

Use case : When a user matches the transfer scenario condition then remove all access provisioned to the user except the access provisioned as part of Birthright. (All Access listed in the technical rule)

Joiner: Technical rule 1) - If CP1 = 'ABC','DEF','GHI' - Create AD account and provision a list of access as part of birthright (Group A, Group B, Group C, Group D)

Technical rule 2) If CP2 >=50, -- provision a list of access as part of birthright access (Group E, Group F)

Technical rule 3) If CP2 <=20, -- provision a list of access as part of birthright access.(Group G, Group H)

Transfer : Condition :  If CP1 = '123','456','789' - Deprovision all non-birthright access.

List of access provisioned to user when Transfer is Initiated: (Group A, Group B, Group C, Group D, Group E, Group F, Group G, Group H, Group 12, Group 34, Group 56)

Expectation: User should be removed from (Group 12, Group 34, Group 56). i.e. groups which are not part of Technical rule.(Birthright access) and he should remain to have access to Group A, Group B, Group C, Group D, Group E, Group F, Group G, Group H (which is part of birthright access)

Note : We are checking the same attribute to identify Joiner or Transfer user scenario.

Regards

JB

  • We maintain skiplist in this use case where we have stored Skiplist keyword in entitlement customproperty .
  • before wsretry we run enhanced query to discontinue tasks created from rules for skip list entitlement 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

Hi @jbaskaran , in normal scenario it's other way around.. anyways

Main part would be how will you track the change in cp1 via analytics..

What if you launch a certification?

jbaskaran
Regular Contributor
Regular Contributor

HI @NM, we are checking and storing the details in CP34, that's the value we have it mentioned in an analytics query condition like below:

"UPDATE NEWUSERDATA N1 JOIN CURRENTUSERS C1 ON C1.USERNAME=N1.USERNAME SET N1.CUSTOMPROPERTY34 = (CASE WHEN (C1.CUSTOMPROPERTY4 NOT IN ('XFR','PRO','TAF') AND N1.CUSTOMPROPERTY4 IN ('XFR','PRO','TAF') AND C1.CUSTOMPROPERTY34 IS NULL) THEN NOW() WHEN (C1.CUSTOMPROPERTY4 IN ('XFR','PRO','TAF') AND C1.CUSTOMPROPERTY34 IS NOT NULL AND N1.CUSTOMPROPERTY4 NOT IN ('XFR','PRO','TAF') ) THEN NULL ELSE C1.CUSTOMPROPERTY34 END );",

What if you launch a certification? - Sorry can you please explain in detail what is this ask is all about ?

Regards

JB