The below article describes an innovative approach to solving performance issues arising from evaluation of thousands of technical rules for birthright provisioning / user updates during user imports. It utilizes the capability to dynamically determine which enterprise roles must be assigned based on each users' HR metadata, thereby consolidating several technical rules to just a handful. Having fewer rules to evaluate improves the usability, maintenance and performance of the system exponentially. To meet requirements for mover and transfer scenarios, actionable analytical controls and custom queries have been utilized.
In this example, all the roles follow a naming convention which is based on jobcode attribute. Additional analytical controls implemented to solve edge cases.
Example Requirement Description
Customer has ~5000 enterprise roles like R511000, R511001, R511002, R511003 etc. The organization also has ~5000 jobcodes with the same values - R511000, R511001 etc.
We need to assign an Enterprise Role (RoleName='R511000') to a user, if his JobCode='R511000'. Similarly there were some role which include location (stored in user customproperty17) in its name like ROleName=US_R511000 and should be assigned if his JobCode='R511000'. In total there are ~5000 roles.
We will also need to track user updates, and when a user's jobcode changes from R511000 to R511001, we need to assign the new role R511001 and remove the old role R511000.
These enterprise roles have entitlements that may overlap across roles. Hence, system needs to keep a tab of which entitlements were assigned as part of which roles and update as needed.
Enterprise roles and entitlements should be present.
To avoid creating ~5000 technical rules respective to each jobcode, only two technical rules needs to be configured, with dynamically assigned roles.
Following is an example on how dynamic technical rule were configured to assign role. Both of the below are birthright rules, hence any user who meets the criteria will be assigned an enterprise role satisfying the assignment condition.
Similar user update rule was also configured to update role assignment if jobCode is changed
Both of the above detect user data changes and rerun provisioning rules (technical rules) to assign roles based on their new HR data. The above approach will meet the requirement to assign the role dynamically
Optionally, if you want to remove old role if old jobCode is removed, then actionable analytics can be used to meet the requirement. Note, following is an example you may have to edit it based on your requirement
SELECT DISTINCT ae.accentkey, a.accountkey AS acctKey, ev.entitlement_valuekey AS entvaluekey, ae.ASSIGNEDFROMROLES, ev.entitlement_value AS entvalue, 'Deprovision Access' AS Default_Action_For_Analytics, u.userkey AS userKey, a.name AS accName FROM account_entitlements1 ae left join accounts a on a.accountkey = ae.accountkey left join role_user_account rua on rua.accountkey = a.accountkey left join users u on rua.USERKEY = u.USERKEY left join user_accounts ua on u.userkey = ua.userkey left join roles r on rua.ROLEKEY = r.ROLEKEY left join role_entitlements re on r.rolekey = re.rolekey left join entitlement_values ev on re.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY where ae.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY and ae.ACCOUNTKEY = ua.accountkey and r.ROLE_NAME != CONCAT(u.CUSTOMPROPERTY17, '_', u.JOBCODE) and r.roletype = '4' and a.status in ('1', 'Active', 'MANUALLY PROVISIONED') and find_in_set(r.rolekey, ae.assignedfromroles) > 0 and ae.ASSIGNEDFROMROLES not like '%,%' and a.endpointkey = '<endpoint key>';