Saviynt Forums

akhilvatsa · ‎11/13/2023

Hello developers,

We have a use case to revoke certain Roles from contractor users, after a period of 1 month when it was assigned.

We are looking at actionable analytics to achieve this, using accounts_entitlements1 table to get the start date and then deprovision the role.

However it seems we can deprovision an entitlement but not the role, through which the entitlement was assigned.

Any solution to achieve this use case? Do let me know if there are any alternate approach.

Thanks,

Akhil Vatsa

SumathiSomala · ‎11/13/2023

@akhilvatsa

Configuring Allowed Actions (saviyntcloud.com)

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

akhilvatsa · ‎11/13/2023

Thanks for the response Sumathi, I think for version 5.5 this option is not available

SumathiSomala · ‎11/13/2023

Ok. Specify Default Time Frame while creating/updating the role.

Schedule create task for future ent role request job.

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

amit_krishnajit · ‎11/13/2023

You may use the "Default Time Frame" configuration in the role to setup a specific interval for the roles after which they can be revoked.

There is an option to force an enddate for enterprise role requests as well.

Thanks,
Amit

rushikeshvartak · ‎11/13/2023

Use actionable analytics

SELECT r.role_name, u.username AS NAME, u.email, rua.rolekey AS roleKey, rua.accountkey AS acctKey, u.userkey AS userKey, 'Deprovision Role' AS 'Default_Action_For_Analytics', a.endpointkey FROM role_user_account rua JOIN user_accounts ua ON ua.accountkey = rua.accountkey JOIN users u ON u.userkey = ua.userkey JOIN roles r ON r.rolekey = rua.rolekey JOIN accounts a ON a.accountkey = rua.accountkey INNER JOIN endpoints e ON e.endpointkey = a.endpointkey WHERE r.status = 1 AND u.username='137658'

Deprovision Roles

When Deprovision Role is configured as an allowed action, it removes the role from user profile in EIC. This is applicable for enterprise, application and emergency access roles. When this action is performed on a record, a task is created for removing user access for the entitlements associated with the roles.

The Analytics query must have the columns given below:
userkey - Userkey of the user to whom the account is mapped.
acctKey - Accountkey of the account from which the entitlement access will be revoked.
roleKey - Rolekey of the role from which the entitlement access will be revoked.

Sample query:

SQL

select r.ROLE_NAME,u.username as name, rua.ROLEKEY as roleKey,rua.ACCOUNTKEY as acctKey, u.USERKEY as userKey,'Deprovision Role' as 'Default_Action_For_Analytics' from role_user_account rua join user_accounts ua on ua.ACCOUNTKEY=rua.ACCOUNTKEY join users u on u.USERKEY = ua.USERKEY join roles r on r.ROLEKEY = rua.ROLEKEY where r.STATUS=1 ;

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter17-EIC-Analytics/Managing-An...

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Manu269 · ‎11/13/2023

@akhilvatsa

Yes you are correct. The Deprovision Roles feature is present in EIC version.

Anyhow if you refer this document : Creating Roles (saviyntcloud.com)

This feature might help you.

Also schedule this job.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

Saviynt Forums

Removing roles after a stipulated time

Deprovision Roles