Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

whats the query for searching the accounts who are having two or more groups assigned?

Pratham
New Contributor III
New Contributor III

‎08/02/2024 02:39 AM

Hi team, I have to write actionable analytics report to shows the accounts who are having 2 or more groups assigned to them and then we have to deprovision their access. We have filter the accounts by endpointname. 

Labels:
0 Kudos
15 REPLIES 15

rushikeshvartak
All-Star
All-Star

‎08/02/2024 03:37 AM

Share current query


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Pratham
New Contributor III
New Contributor III
In response to rushikeshvartak

‎08/02/2024 03:43 AM - edited ‎08/02/2024 04:11 AM

Thanks for the reply, Rushikesh.

select
a.name as 'Accname',
u.username as 'Username',
e.endpointname as 'EndpointName',
a.ACCOUNTID as 'DistinguishedName',
CASE u.STATUSKEY WHEN '0' THEN 'INACTIVE' WHEN '1' THEN 'ACTIVE' END AS USERSTATUS,
ev.entitlement_value as 'Groups',
ae1.accountkey as 'acctKey',
'Deprovision Access' as 'Default_Action_For_Analytics',
ae1.entitlement_valuekey as 'entvaluekey'

from users u join user_accounts ua on u.userkey=ua.userkey
join accounts a on a.accountkey=ua.accountkey
join account_entitlements1 ae1 on a.accountkey=ae1.accountkey
join entitlement_values ev on ev.entitlement_valuekey=ae1.entitlement_valuekey
join entitlement_types et on et.entitlementtypekey=ev.entitlementtypekey
join endpoints e on e.endpointkey=et.endpointkey
where e.endpointname='TETRAAD'

How to find that accounts which have multiple groups assigned to them from that endpointname?

we have to perform deprovision access task for that accounts who have 2 or more groups assigned, we have to remove other groups which are not identified with the above endpoint name. 

0 Kudos

pmahalle
All-Star
All-Star
In response to Pratham

‎08/02/2024 04:33 AM

@Pratham ,

User below query:

select
a.name as 'Accname',
u.username as 'Username',
e.endpointname as 'EndpointName',
a.ACCOUNTID as 'DistinguishedName',
CASE u.STATUSKEY WHEN '0' THEN 'INACTIVE' WHEN '1' THEN 'ACTIVE' END AS USERSTATUS,
ev.entitlement_value as 'Groups',
ae1.accountkey as 'acctKey',
'Deprovision Access' as 'Default_Action_For_Analytics',
ae1.entitlement_valuekey as 'entvaluekey'
from users u join user_accounts ua on u.userkey=ua.userkey
join accounts a on a.accountkey=ua.accountkey
join account_entitlements1 ae1 on a.accountkey=ae1.accountkey
join entitlement_values ev on ev.entitlement_valuekey=ae1.entitlement_valuekey
join entitlement_types et on et.entitlementtypekey=ev.entitlementtypekey
join endpoints e on e.endpointkey=et.endpointkey
where e.endpointname='TETRAAD' and a.accountkey in (select tab.accountkey from (select ae1.accountkey as accountkey, count(ae1.accountkey) as entitlementassigned from account_entitlements1 ae1, accounts a, endpoints e where a.accountkey=ae1.accountkey and a.endpointkey=e.endpointkey and e.endpointname='TETRAAD' and a.status=1 group by ae1.accountkey) tab where tab.entitlementassigned > 1)


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

Pratham
New Contributor III
New Contributor III
In response to pmahalle

‎08/02/2024 05:13 AM - edited ‎08/02/2024 05:19 AM

Hi Pandharinath, The above query was working but it shows no records found when I change endpoint it working it shows some accounts that have multiple groups assigned. How can we check the account exist only in the defined/ identified group match pattern?

The main query was have to Create actionable analytics to identify the accounts falling outside the Tier2 groups and remove the account form the non-matched pattern groups, Tier2 accounts should exist only in the defined/ identified group match pattern

0 Kudos

pmahalle
All-Star
All-Star
In response to Pratham

‎08/02/2024 05:26 AM

@Pratham ,

Do you mean you want to remove only specific groups/entitlements and not all?


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

Pratham
New Contributor III
New Contributor III
In response to pmahalle

‎08/02/2024 05:30 AM - edited ‎08/02/2024 06:05 AM

Yes, we have to remove the non-matched groups which are not mentioned in that endpoints, If any account has groups of other endpoints we have to remove those groups. Not all groups we have to remove only other endpoints groups from that. 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Pratham

‎08/02/2024 05:28 PM

Can you explain with example


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Pratham
New Contributor III
New Contributor III
In response to rushikeshvartak

‎08/04/2024 09:56 PM

Hi @rushikeshvartak ,

Yes sure, we have to remove the non-matched groups which are not mentioned in that endpoints, If any account has groups of other endpoints we have to remove those groups. Not all groups we have to remove only other endpoints groups from that. For example : we have one endpoint name =TETRAAD and in that there are 11 entitlement values (groups) and 1000 accounts and each account has one or two groups assigned , we means contractor, users, admin, Maintenace, etc. these are the groups as per the request we have to find that accounts which are non-matched groups which are not mentioned in that endpoints ,we have to remove that accounts it can be groups of other endpoints also we have to find that and remove that one only.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Pratham

‎08/04/2024 10:03 PM 

SELECT
    a.name AS 'Accname',
    u.username AS 'Username',
    e.endpointname AS 'EndpointName',
    a.ACCOUNTID AS 'DistinguishedName',
    CASE u.STATUSKEY 
        WHEN '0' THEN 'INACTIVE' 
        WHEN '1' THEN 'ACTIVE' 
    END AS USERSTATUS,
    ev.entitlement_value AS 'Groups',
    ae1.accountkey AS 'acctKey',
    'Deprovision Access' AS 'Default_Action_For_Analytics',
    ae1.entitlement_valuekey AS 'entvaluekey'
FROM users u
JOIN user_accounts ua ON u.userkey = ua.userkey
JOIN accounts a ON a.accountkey = ua.accountkey
JOIN account_entitlements1 ae1 ON a.accountkey = ae1.accountkey
JOIN entitlement_values ev ON ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN entitlement_types et ON et.entitlementtypekey = ev.entitlementtypekey
JOIN endpoints e ON e.endpointkey = et.endpointkey
WHERE e.endpointname = 'TETRAAD'
AND a.accountkey IN (
    SELECT a.accountkey
    FROM accounts a
    JOIN account_entitlements1 ae1 ON a.accountkey = ae1.accountkey
    JOIN entitlement_values ev ON ev.entitlement_valuekey = ae1.entitlement_valuekey
    JOIN entitlement_types et ON et.entitlementtypekey = ev.entitlementtypekey
    JOIN endpoints e ON e.endpointkey = et.endpointkey
    WHERE e.endpointname = 'TETRAAD'
    GROUP BY a.accountkey
    HAVING COUNT(DISTINCT ev.entitlement_valuekey) = (
        SELECT COUNT(DISTINCT ev.entitlement_valuekey)
        FROM account_entitlements1 ae1
        JOIN entitlement_values ev ON ev.entitlement_valuekey = ae1.entitlement_valuekey
        JOIN entitlement_types et ON et.entitlementtypekey = ev.entitlementtypekey
        JOIN endpoints e ON e.endpointkey = et.endpointkey
        WHERE e.endpointname = 'TETRAAD'
          AND ae1.accountkey = a.accountkey
    )
)

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Pratham
New Contributor III
New Contributor III
In response to rushikeshvartak

‎08/04/2024 10:30 PM

Hi @rushikeshvartak ,

Thanks for the quick response.

The previous query functioned correctly, but it displayed all accounts, even those with only one group assigned to them. We need to filter and sort the accounts to show only those with multiple groups, in accordance with the specified conditions.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Pratham

‎08/05/2024 02:34 AM

Share query output and which data should be hidden with screenshot


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Pratham
New Contributor III
New Contributor III
In response to rushikeshvartak

‎08/05/2024 11:53 PM - edited ‎08/06/2024 12:40 AM

Hi @rushikeshvartak , @pmahalle 

The above problem was resolved.

can you please check the below query,

we have to Deprovision access of other entitlement values except the given one only, does it work in that case or not, if not can you please make some changes for that one, is it compulsory to add a.endpoinkey for deprovisioning access

select
a.name as 'Accname',
u.username as 'Username',
e.endpointname as 'EndpointName',
ev.entitlement_value as 'Groups',
CASE u.STATUSKEY WHEN '0' THEN 'INACTIVE' WHEN '1' THEN 'ACTIVE' END AS USERSTATUS,
a.ACCOUNTID as 'DistinguishedName',
ae1.accountkey as 'acctKey',
'Deprovision Access' as 'Default_Action_For_Analytics',
ae1.entitlement_valuekey as 'entvaluekey'
from users u join user_accounts ua on u.userkey=ua.userkey
join accounts a on a.accountkey=ua.accountkey
join account_entitlements1 ae1 on a.accountkey=ae1.accountkey
join entitlement_values ev on ev.entitlement_valuekey=ae1.entitlement_valuekey
join entitlement_types et on et.entitlementtypekey=ev.entitlementtypekey
join endpoints e on e.endpointkey=et.endpointkey
where e.endpointname='TETRAAD' and ev.entitlement_value !='CN=SG-SAVAD-Test-App89-Users,OU=Saviynt-Dev,DC=tetra,DC=com'and
a.accountkey in (select tab.accountkey from (select ae1.accountkey as accountkey, count(ae1.accountkey) as entitlementassigned from account_entitlements1 ae1, accounts a, endpoints e where a.accountkey=ae1.accountkey and a.endpointkey=e.endpointkey and e.endpointname='TETRAAD' and a.status=1 group by ae1.accountkey) tab where tab.entitlementassigned >1) 

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Pratham

‎08/06/2024 06:26 AM

SELECT
a.name AS 'Accname',
u.username AS 'Username',
e.endpointname AS 'EndpointName',
ev.entitlement_value AS 'Groups',
CASE u.STATUSKEY
WHEN '0' THEN 'INACTIVE'
WHEN '1' THEN 'ACTIVE'
END AS USERSTATUS,
a.ACCOUNTID AS 'DistinguishedName',
ae1.accountkey AS 'acctKey',
'Deprovision Access' AS 'Default_Action_For_Analytics',
ae1.entitlement_valuekey AS 'entvaluekey'
FROM
users u
JOIN
user_accounts ua ON u.userkey = ua.userkey
JOIN
accounts a ON a.accountkey = ua.accountkey
JOIN
account_entitlements1 ae1 ON a.accountkey = ae1.accountkey
JOIN
entitlement_values ev ON ev.entitlement_valuekey = ae1.entitlement_valuekey
JOIN
entitlement_types et ON et.entitlementtypekey = ev.entitlementtypekey
JOIN
endpoints e ON e.endpointkey = et.endpointkey
WHERE
e.endpointname = 'TETRAAD'
AND ev.entitlement_value != 'CN=SG-SAVAD-Test-App89-Users,OU=Saviynt-Dev,DC=tetra,DC=com'
AND a.accountkey IN (
SELECT
tab.accountkey
FROM (
SELECT
ae1.accountkey AS accountkey,
COUNT(ae1.accountkey) AS entitlementassigned
FROM
account_entitlements1 ae1
JOIN
accounts a ON a.accountkey = ae1.accountkey
JOIN
endpoints e ON a.endpointkey = e.endpointkey
WHERE
e.endpointname = 'TETRAAD'
AND a.status = 1
GROUP BY
ae1.accountkey
) tab
WHERE
tab.entitlementassigned > 1
);


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Pratham
New Contributor III
New Contributor III
In response to rushikeshvartak

‎08/07/2024 10:06 PM

Hi @rushikeshvartak ,

The above query is working fine. I have one doubt this query will Deprovision access of these accounts or the groups from that account?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Pratham

‎08/08/2024 06:48 AM

Group

Please click the 'Accept As Solution' button on the reply (or replies) that best answered your original question and hit 'Kudos' button 👍.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC