Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Restrict entitlements assigned from role in ARS

SUMAIYA_BABU
Regular Contributor
Regular Contributor

Is there a way to restrict users from being able to request to remove the access from the ARS directly that was assigned through a role ?

In the 'Config for Selected Entitlements' option in Entitlement Types, we were not able to add any fields from any other tables other that entitlement_values.

 

6 REPLIES 6

Saathvik
All-Star
All-Star

@SUMAIYA_BABU : Did you try using subqueries here? and output of that query should be column related to entitlement_values.

Can you please share the query you attempted? 

We definitely used another table reference successfully in "Config for Requestable Entitlement in ARS" So I believe it should work for selected entitlements as well


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

SUMAIYA_BABU
Regular Contributor
Regular Contributor

Hi Saathvik,

 

This is the query we have:

ev.entitlement_value not in (select ev1.entitlement_value from account_entitlements1 ae1,entitlement_values ev1,user_accounts ua where ev1.entitlement_valuekey=ae1.entitlement_valuekey and ae1.assignedfromrole is not null and ua.accountkey=ae1.accountkey and ua.userkey=${requestee}).

We also tried creating a dynamic variable at the endpoint level with this subquery and adding the dynamic variable in the entitlement type. That didnt work as well.

@SUMAIYA_BABU : Does this query giving expected output in data analyzer if you hardcord the requestee value?

(select ev1.entitlement_value from account_entitlements1 ae1,entitlement_values ev1,user_accounts ua where ev1.entitlement_valuekey=ae1.entitlement_valuekey and ae1.assignedfromrole is not null and ua.accountkey=ae1.accountkey and ua.userkey=${requestee})


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

yes...its working from data analyzer.

@SUMAIYA_BABU: Try this

 

ev.id in (select ae1.entitlement_valuekey from Account_entitlements1 ae1 where ae1.assignedFromRole is not null and ae1.accountkey=(select ua.accountkey from User_accounts ua where ua.userkey=${requestee}))

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

{
"PREPROCESSQUERIES": [
"IF (SELECT COUNT(*) FROM account_entitlements1 ae1, entitlement_values ev1, user_accounts ua WHERE ev1.entitlement_valuekey = ae1.entitlement_valuekey AND ae1.assignedfromrole IS NOT NULL AND ua.accountkey = ae1.accountkey AND ua.userkey = ${requestee}) > 0 THEN SET REQUEST_REMOVAL_FLAG = 0; END IF;"
]
}