Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Retrofit job and child roles

Sampo
Regular Contributor
Regular Contributor

We've set up a role hierarchy where users are assigned a role as a birthright by technical rules. The roles inherit entitlements from child roles in a hierarchy. It seems to work, but then an AD import job recreated the contents of the account_entitlements1 table, clearing the values in assignedFromRule, assignedFromRole and assignedFromRoles columns. So when user tech rules are re-evaluated and users no longer match the conditions of the technical rule, Saviynt won't remove the entitlements since account_entitlements1 table no longer contains the information that the entitlements were added from a rule and a role.

I have set up a RetrofitJob (tried both Rule and Role option) to restore these values in the account_entitlements1 table. It's able to restore the values for the entitlements that belong to the roles that has been assigned to users, but it doesn't restore the values for entitlements that were inherited from a child role. Is this expected behaviour?

If RetrofitJob cannot restore those entitlements, then I'm thinking of changing the design so that parent-child-relationship is not established between the roles, but users will be directly assigned membership in all the required roles in the hierarchy.

2 REPLIES 2

NM
Honored Contributor II
Honored Contributor II

Hi @Sampo yes sort of expected for now .. because no child role reference is added in the table.

rushikeshvartak
All-Star
All-Star
  • There was known issue with mapping for assignedfromrules/roles getting wiped out please raise support ticket to get required patch or upgrade.
  • Regarding retrofit Job please raise enhancement on idea portal

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.