Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role Detection based on assigned entitlement

Go to solution
sunilsaurabh
New Contributor II
New Contributor II

‎05/21/2024 09:09 AM

Let say we create a new Role (call it RoleA) that is composed of 2 entitlements called ent1 and ent2.

At Role creation, some users might already have that combination of 2 entitlements, or might have only 1 and then the 2nd one is given via AccessRequest.

Question: is there a way within Saviynt to "detect" that these users should be assign RoleA? Some other products do have this notion of "detected" role (in opposition to role "assigned" within the IAM product).

0 Kudos
7 REPLIES 7

Go to solution
rushikeshvartak
All-Star
All-Star

‎05/21/2024 09:48 AM

Currently its not supported OOTB. Please submit idea ticket for feature request.

 

You can implement this using analytics report as workaround. 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Go to solution
sunilsaurabh
New Contributor II
New Contributor II
In response to rushikeshvartak

‎05/22/2024 01:51 AM - edited ‎05/22/2024 01:52 AM

Hi Rushikesh,

I hope you are doing well!

Could you please provide more information about workaround. Please provide query if you have done it in past?

Regards,

Sunil Saurabh

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to sunilsaurabh

‎05/22/2024 06:28 AM

  •  
  • find account having entitlement
  • find entitlement is part of which all roles 
  • based on above information you can mention which is possible role user can have

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
sunilsaurabh
New Contributor II
New Contributor II
In response to rushikeshvartak

‎05/22/2024 10:32 AM - edited ‎05/24/2024 02:03 AM

Hi @rushikeshvartak ,

I have created the analytics. Thanks for your help. However wondering what action should i chose to assign role to user based on data, because not able to find suitable action in it. Could you please suggest. There are other option to upload the role assignment.

Query to find the missing role assignment if user has all the entitlement assigned from role  :

select t1.role_name as Role_Name,t2.username as username, t2.endpointname,t2.accName,t2.accountkey,t1.rolekey,t2.userkey from(
select r.role_name,a.accountkey,re1.rolekey,ua.userkey, GROUP_CONCAT(distinct ev.entitlement_value ORDER BY ev.entitlement_value) AS valueset from roles r,role_entitlements re1, entitlement_values ev,users u,user_accounts ua, accounts a,endpoints e, entitlement_types et, account_entitlements1 ae where ev.entitlementtypekey = et.entitlementtypekey and re1.ROLEKEY = r.ROLEKEY and u.userkey = ua.userkey and ua.accountkey = a.accountkey and re1.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY and a.endpointKey = e.endpointKey and et.endpointKey = e.endpointKey and ae.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY and ae.accountkey = ua.accountkey GROUP BY r.role_name)t1
JOIN(

select u.username,e.endpointname,a.name as accName,a.accountkey,r.rolekey,ua.userkey, GROUP_CONCAT(distinct ev.entitlement_value ORDER BY ev.entitlement_value) AS valueset from roles r,role_entitlements re1, entitlement_values ev,users u,user_accounts ua, accounts a,endpoints e, entitlement_types et, account_entitlements1 ae where ev.entitlementtypekey = et.entitlementtypekey and re1.ROLEKEY = r.ROLEKEY and u.userkey = ua.userkey and ua.accountkey = a.accountkey and re1.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY and a.endpointKey = e.endpointKey and et.endpointKey = e.endpointKey and ae.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY and ae.accountkey = ua.accountkey GROUP BY u.username) t2 ON (t1.valueset = t2.valueset or FIND_IN_SET(t1.valueset, t2.valueset) > 0 ) and not exists (select 1 from role_user_account rua where (rua.accountkey = t2.accountkey or rua.userkey = t2.userkey ) and t1.rolekey = rua.rolekey )

 

Regards

Sunil

 

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to sunilsaurabh

‎05/24/2024 05:57 AM

Is it working or do u still need help


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
sunilsaurabh
New Contributor II
New Contributor II
In response to rushikeshvartak

‎05/24/2024 06:09 AM - edited ‎05/24/2024 06:09 AM

Hey @rushikeshvartak 

We have found manual way to assign role to user through Upload Role association.  Do we have any automated process?

Another thing is if upload through Upload Role association then Account_key is not getting updated in Role_user_account table, However if we add user through ADD User feature from role'a action. then it is getting updated. Any Idea?

I appreciate your response, it really helpful.

Kind regards

Sunil

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to sunilsaurabh

‎05/24/2024 06:14 AM

Thats known limitations hence use ars - multi user file upload


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC