Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Removing roles after a stipulated time

akhilvatsa
New Contributor III
New Contributor III

Hello developers,

We have a use case to revoke certain Roles from contractor users, after a period of 1 month when it was assigned.

We are looking at actionable analytics to achieve this, using accounts_entitlements1 table to get the start date and then deprovision the role.

However it seems we can deprovision an entitlement but not the role, through which the entitlement was assigned. 

Any solution to achieve this use case? Do let me know if there are any alternate approach. 

Thanks,

Akhil Vatsa

 

6 REPLIES 6

SumathiSomala
All-Star
All-Star

@akhilvatsa 

SumathiSomala_0-1699886035521.png

Configuring Allowed Actions (saviyntcloud.com)

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

Thanks for the response Sumathi, I think for version 5.5 this option is not available

akhilvatsa_0-1699936983535.png

 

Ok. Specify Default Time Frame while creating/updating the role. 

Schedule create task for future ent role request job. 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

amit_krishnajit
Saviynt Employee
Saviynt Employee

You may use the "Default Time Frame" configuration in the role to setup a specific interval for the roles after which they can be revoked. 

There is an option to force an enddate for enterprise role requests as well. 

 

Thanks,
Amit

rushikeshvartak
All-Star
All-Star

Use actionable analytics

rushikeshvartak_0-1699900754830.png

SELECT r.role_name, u.username AS NAME, u.email, rua.rolekey AS roleKey, rua.accountkey AS acctKey, u.userkey AS userKey, 'Deprovision Role' AS 'Default_Action_For_Analytics', a.endpointkey FROM role_user_account rua JOIN user_accounts ua ON ua.accountkey = rua.accountkey JOIN users u ON u.userkey = ua.userkey JOIN roles r ON r.rolekey = rua.rolekey JOIN accounts a ON a.accountkey = rua.accountkey INNER JOIN endpoints e ON e.endpointkey = a.endpointkey WHERE r.status = 1 AND u.username='137658'

 

 

Deprovision Roles

When Deprovision Role is configured as an allowed action, it removes the role from user profile in EIC. This is applicable for enterprise, application and emergency access roles. When this action is performed on a record, a task is created for removing user access for the entitlements associated with the roles.

The Analytics query must have the columns given below:
userkey - Userkey of the user to whom the account is mapped.
acctKey - Accountkey of the account from which the entitlement access will be revoked.
roleKey - Rolekey of the role from which the entitlement access will be revoked.

Sample query:

SQL
select r.ROLE_NAME,u.username as name, rua.ROLEKEY as roleKey,rua.ACCOUNTKEY as acctKey, u.USERKEY as userKey,'Deprovision Role' as 'Default_Action_For_Analytics' from role_user_account rua join user_accounts ua on ua.ACCOUNTKEY=rua.ACCOUNTKEY join users u on u.USERKEY = ua.USERKEY join roles r on r.ROLEKEY = rua.ROLEKEY where r.STATUS=1 ;

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Manu269
All-Star
All-Star

@akhilvatsa 

Yes you are correct. The Deprovision Roles feature is present in EIC version.

Anyhow if you refer this document : Creating Roles (saviyntcloud.com)

Manu269_0-1699939598988.png

This feature might help you.

Also schedule this job.

Manu269_1-1699939784725.png

 

 

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.