Short Description
Technical Rule is used to provision birthright access to employees joining the company for all users based on specified conditions. To assign birthright access, you need to specify the conditions based on which birthright access needs to be provided and select the Birthright action
Applicable version:
All versions
Detail best practice
- All technical rules are evaluated for all new records created in Saviynt, so in case there are a large number of unnecessary rules (where condition always fails) then remove those rule to avoid performance impact.
Least Privilege Principle: While designing the rule, follow the principle of least privilege when defining birthright rules. Grant users the minimum permissions necessary to perform their job functions effectively. Avoid granting excessive or unnecessary access rights, as this can increase the risk of unauthorized access or data breaches.
- Access Control: Adopt a policy-based approach for defining birthright rules. Identify different job functions or roles within your organization and create role definitions that capture the necessary permissions for each role. Assign birthright rules to these roles to ensure that users receive the appropriate access automatically based on their assigned role.
- Regular Review : Conduct periodic reviews of your birthright rules to ensure they remain accurate and aligned with the current organizational requirements. As roles and responsibilities change over time, it's important to update and refine the birthright rules to reflect these changes.
- Segregation of Duties (SoD): Define birthright rules in a way that ensures users cannot perform conflicting actions or access sensitive information that should be separated among different roles.
- Continuous Improvement: Continuously evaluate and refine your birthright rules based on user feedback, emerging risks, and changes in business requirements. Implement a feedback loop and encourage users to provide input on access requirements to ensure that the birthright rules remain effective and aligned with the organization's needs
- Rule Consolidation: Analyze your existing technical rules and identify any duplication or overlap. Look for rules that have similar or overlapping conditions, actions, or entitlements. Consolidate these rules into a single rule to eliminate redundancy and simplify rule management.
- Use Advance config while configuring technical rules when there is a complex conditions and would want to make use of null conditions. Note, the attribute names used in the query are case sensitive.
- While using Advance config, write optimized HQL query to avoid performance impact. (Refer Analytic best practice document for some examples on optimized query)
- Remove Birthright Access if condition fails: Always keep this condition unless specifically said not to, as this ensure that the access policy defined is always satisfied for the user if not then it will remove the access assigned as per this role.
- Detective: Try to minimize the use of Detective rules unless it is very much needed on , Also make sure you are running the detective jobs once in a day so that there are no performance issues.
- Evaluate Manager Hierarchy: This feature will soon be deprecated and would always want you to keep this config turned off. This config is causing performance issues as it checks for all users even one when user is updated, so would recommend you to keep it off.
- Migrate Rules: You can upload the technical rules if you are migrating from another IAM solution , you would need to prepare a JSON format and then upload which will save your time instead of creating it from UI. ( Detail steps can be found in doc link below)
- In case of Go live, while uploading the user identity for the first time, you can temporary disable the rules to avoid creation of unnecessary tasks and performance impact.
Note: Example of Advance config use hql:
a.statuskey = 1 and a.startdate <= DATE_ADD(curdate(),INTERVAL 21 DAY) and a.employeeid is not null and a.leaveStatus is null and a.employeeclass not like 'Tier%'
a.id in (select distinct manager from Users a where a.statuskey = 1)
Key Benefit (Quantitative/qualitative)
Simplified access management, Performance improvement when bulk user import and Increased Efficiency
Reference documentation
https://docs.saviyntcloud.com/bundle/SSM-Admin-v55x/page/Content/Chapter05-Policies/Creating-Technic...
https://docs.saviyntcloud.com/bundle/SSM-Admin-v55x/page/Content/Chapter05-Policies/Uploading-Techni...