Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Role Hierarchy issue

JPMac
Regular Contributor II
Regular Contributor II

Hi,

We are creating roles based on the organizational hierarchy, and each has a child role.

JPMac_2-1723108211192.png

For example, if you assign a user the Role 'XXX-AAA-BBB-CCC-DDD', the user will have the entitlements 'Project_A' and 'TestADDGroup002' added.

 

The technical rule and user update rule are shown below.

JPMac_3-1723108482926.pngJPMac_4-1723108567685.png

The role is assigned dynamically by specifying the role name in the value of the user's departmentname and customproperty1.

 

<Results and problem>

First I create the following user:
Two roles are created and a task is created to add four entitlements.

JPMac_6-1723108796896.pngJPMac_7-1723109024634.png

I complete these tasks, then change the user's departmentname and invoke the user update rule.

(XXX-AAA-BBB-CCC-DDD -> XXX-AAA-BBB-CCC-KKK)

Then a task is created as shown below, and when everything is completed, testADDGroup002 is removed.

JPMac_8-1723109401295.png

The current status of role and entitlement is shown below.

JPMac_10-1723109712602.png

The check is the ultimate entitlement assigned by the user.
This means that the user does not have a red entitlement(TestAADGroup002), however, since the user belongs to the parent role, it must hold the entitlement of the child role.

How does the above example not create remove access for TestADDGroup002?

Regards,

6 REPLIES 6

rushikeshvartak
All-Star
All-Star
  • All belongs to same application!
  • Does account already have entitlement?
  • any pending tasks ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

JPMac
Regular Contributor II
Regular Contributor II

@rushikeshvartak 

- All belongs to same application!

-> Yes. In this example, all are entitlements of Azure AD.

 

any pending tasks ?

-> This task is created after changing the user's group.

JPMac_1-1723161469176.png

 

- Does account already have entitlement?

-> yes. I would expect to have four entitlements, but one removed is three.

JPMac_0-1723161306492.png

 

Are you using entitlement map?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

JPMac
Regular Contributor II
Regular Contributor II

I found that this problem occurs when I manually complete tasks without using a Job.

NM
Honored Contributor II
Honored Contributor II

@JPMac is the task moving to no action required state?

JPMac
Regular Contributor II
Regular Contributor II

@NM Yes. when I run provisioning job.