Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Role added but with missing entitlements

Anu
Regular Contributor
Regular Contributor

We have user who has the enterprise role assigned however missing few entitlements which are part of this role. As the user already has role assigned ,they cannot request for the same role again via ARS. 

Example :  Role A comprises of 10 entitlements (2 different security systems). Due to some import file issue user A got the Role A assigned however has only 5 entitlements mapped.

Is there an option to retrigger same role addition task for the user so that missing entitlements Add Access/New Account tasks can be automatically created ? 

Thanks in Advance

 

3 REPLIES 3

dgandhi
All-Star
All-Star

Was the ADD Access task created for the entitlements which were part of the role?

If yes, was it completed or errored out?

 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

Anu
Regular Contributor
Regular Contributor

@dgandhi All the Add Access task where successful and completed. However due to an intermittent user update termination rule some of the access had got revoked.

So now we want to retrigger the role assignment so that all the Add access /new account task can be retriggered for the already assigned role. 

rushikeshvartak
All-Star
All-Star

Create Actionable report with below query to assign missing access.

SELECT CASE WHEN rva.MISMATCH_TYPE = 'ENDDATE_MISMATCH' THEN 'End Date Mismatch' WHEN rva.MISMATCH_TYPE = 'EXTRA' THEN 'Surplus Access' WHEN rva.MISMATCH_TYPE = 'MISSED' THEN 'Missing Access' ELSE rva.MISMATCH_TYPE END as 'Mismatch Type', CASE WHEN rva.MISMATCH_TYPE = 'ENDDATE_MISMATCH' THEN 'End Date Mismatch' WHEN rva.MISMATCH_TYPE = 'EXTRA' THEN 'Surplus Access' WHEN rva.MISMATCH_TYPE = 'MISSED' THEN 'Missing Access' ELSE rva.MISMATCH_TYPE END as mismatchType, CASE WHEN rva.REASON IN ('ANALYTICS_V2' , 'ANALYTICS') THEN 'Deprovisioned from Analytics' WHEN rva.REASON IN ('REQUEST', 'CERTIFICATION') THEN CONCAT('Deprovisioned from ', CONCAT(UCASE(LEFT(LCASE(rva.REASON), 1)), SUBSTRING(LCASE(rva.REASON), 2))) WHEN rva.REASON = 'WEBSERVICE' THEN 'Deprovisioned from API' WHEN rva.REASON = 'ZERODAY' THEN 'Deprovisioned from BirthRight' WHEN rva.REASON = 'SOD' THEN 'Deprovisioned from SOD' WHEN rva.REASON = 'PROVRULE' THEN 'Deprovisioned from Rule' WHEN rva.REASON = 'NOT_REQUESTABLE' THEN 'Non Requestable Entitlement Type' WHEN rva.REASON = 'INCOMPLETE_TASK' THEN 'Incomplete Task' WHEN rva.REASON = 'PROVISIONING_ERROR' THEN 'Provisioning Error' WHEN rva.REASON = 'OTHERS' THEN 'Others' WHEN rva.REASON = 'INACTIVE_ACCOUNTS' THEN 'Inactive Accounts' WHEN rva.REASON = 'UNKNOWN' THEN 'Unknown' WHEN rva.REASON = 'DEPROVISIONING_ERROR' THEN 'Deprovisioning Error' WHEN rva.REASON = 'ENTITLEMENT_NOT_PRESENT' THEN 'Entitlement is not Present in Role' WHEN rva.REASON = 'ENTITLEMENT_NOT_PRESENT_CHILD_ROLE' THEN 'Entitlement is not Present in Child Role' WHEN rva.REASON = 'INACTIVE_ROLE' THEN 'Inactive Role is Present With User' WHEN rva.REASON = 'INACTIVE_CHILD_ROLE' THEN 'Inactive Child Role is Present With User' WHEN rva.REASON = 'INACTIVE_USERS' THEN 'Inactive Users' WHEN rva.REASON = 'LOWER_ENTITLEMENT_END_DATE' THEN 'Lower Entitlement End Date' WHEN rva.REASON = 'HIGHER_ENTITLEMENT_END_DATE' THEN 'Higher Entitlement End Date' WHEN rva.REASON = 'ROLE_NOT_ASSIGNED' THEN 'Role not Assigned to User' WHEN rva.REASON = 'CHILD_ROLE_NOT_ASSIGNED' THEN 'Child Role not Assigned to User' ELSE 'Unknown' END AS 'Reason', CASE WHEN rva.REASON IN ('ANALYTICS_V2' , 'ANALYTICS') THEN 'Deprovisioned from Analytics' WHEN rva.REASON IN ('REQUEST', 'CERTIFICATION') THEN CONCAT('Deprovisioned from ', CONCAT(UCASE(LEFT(LCASE(rva.REASON), 1)), SUBSTRING(LCASE(rva.REASON), 2))) WHEN rva.REASON = 'WEBSERVICE' THEN 'Deprovisioned from API' WHEN rva.REASON = 'ZERODAY' THEN 'Deprovisioned from BirthRight' WHEN rva.REASON = 'SOD' THEN 'Deprovisioned from SOD' WHEN rva.REASON = 'PROVRULE' THEN 'Deprovisioned from Rule' WHEN rva.REASON = 'NOT_REQUESTABLE' THEN 'Non Requestable Entitlement Type' WHEN rva.REASON = 'INCOMPLETE_TASK' THEN 'Incomplete Task' WHEN rva.REASON = 'PROVISIONING_ERROR' THEN 'Provisioning Error' WHEN rva.REASON = 'OTHERS' THEN 'Others' WHEN rva.REASON = 'INACTIVE_ACCOUNTS' THEN 'Inactive Accounts' WHEN rva.REASON = 'UNKNOWN' THEN 'Unknown' WHEN rva.REASON = 'DEPROVISIONING_ERROR' THEN 'Deprovisioning Error' WHEN rva.REASON = 'ENTITLEMENT_NOT_PRESENT' THEN 'Entitlement is not Present in Role' WHEN rva.REASON = 'ENTITLEMENT_NOT_PRESENT_CHILD_ROLE' THEN 'Entitlement is not Present in Child Role' WHEN rva.REASON = 'INACTIVE_ROLE' THEN 'Inactive Role is Present With User' WHEN rva.REASON = 'INACTIVE_CHILD_ROLE' THEN 'Inactive Child Role is Present With User' WHEN rva.REASON = 'INACTIVE_USERS' THEN 'Inactive Users' WHEN rva.REASON = 'LOWER_ENTITLEMENT_END_DATE' THEN 'Lower Entitlement End Date' WHEN rva.REASON = 'HIGHER_ENTITLEMENT_END_DATE' THEN 'Higher Entitlement End Date' WHEN rva.REASON = 'ROLE_NOT_ASSIGNED' THEN 'Role not Assigned to User' WHEN rva.REASON = 'CHILD_ROLE_NOT_ASSIGNED' THEN 'Child Role not Assigned to User' ELSE 'Unknown' END AS mismatchSource, u.username as Username, u.FIRSTNAME as 'First Name', u.LASTNAME as 'Last Name', IFNULL(r.DISPLAYNAME, r.ROLE_NAME) as 'Role Name', rva.RUA_ENDDATE as 'Role End Date', IFNULL(cr.DISPLAYNAME, cr.ROLE_NAME) as 'Child Role', a.name as 'Account Name', et.entitlementname as 'Entitlement Type', ev.entitlement_value as 'Entitlement Value', rva.AE_ENDDATE as 'Entitlement End Date', rva.MISMATCH_SOURCEKEY as 'Reason Task Id', rva.entitlement_valuekey as entvaluekey, rva.rolekey as roleKey, rva.userkey as userKey, rva.accountkey as acctKey, rva.MISMATCH_SOURCEKEY as taskKey, rva. RUA_ENDDATE as ruaEndDate, rva.CHILDROLEKEY as childRoleKey, 'Align Role Access Mismatch' as Default_Action_For_Analytics FROM ROLEACCESSMISMATCHES rva LEFT JOIN users u ON rva.userkey=u.userkey INNER JOIN roles r ON rva.rolekey=r.rolekey LEFT JOIN roles cr ON rva.CHILDROLEKEY = cr.ROLEKEY INNER JOIN accounts a ON rva.accountkey=a.accountkey INNER JOIN entitlement_values ev ON rva.ENTITLEMENT_VALUEKEY=ev.entitlement_valuekey INNER JOIN entitlement_types et ON ev.entitlementtypekey=et.entitlementtypekey;

 

Product provide default feature Role Mistmatch

https://docs.saviyntcloud.com/bundle/SSM-Admin-v55x/page/Content/Chapter16-SSM-Analytics/Managing-An...


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.