Click HERE to see how Saviynt Intelligence is transforming the industry. |
on 08/29/2023 12:20 PM
Example Requirement Description
Customer has ~5000 enterprise roles like R511000, R511001, R511002, R511003 etc. The organization also has ~5000 jobcodes with the same values - R511000, R511001 etc.
We need to assign an Enterprise Role (RoleName='R511000') to a user, if his JobCode='R511000'. Similarly there were some role which include location (stored in user customproperty17) in its name like ROleName=US_R511000 and should be assigned if his JobCode='R511000'. In total there are ~5000 roles.
We will also need to track user updates, and when a user's jobcode changes from R511000 to R511001, we need to assign the new role R511001 and remove the old role R511000.
These enterprise roles have entitlements that may overlap across roles. Hence, system needs to keep a tab of which entitlements were assigned as part of which roles and update as needed.
Similar user update rule was also configured to update role assignment if jobCode is changed
Both of the above detect user data changes and rerun provisioning rules (technical rules) to assign roles based on their new HR data. The above approach will meet the requirement to assign the role dynamically
Optionally, if you want to remove old role if old jobCode is removed, then actionable analytics can be used to meet the requirement. Note, following is an example you may have to edit it based on your requirement
SELECT
DISTINCT ae.accentkey,
a.accountkey AS acctKey,
ev.entitlement_valuekey AS entvaluekey,
ae.ASSIGNEDFROMROLES,
ev.entitlement_value AS entvalue,
'Deprovision Access' AS Default_Action_For_Analytics,
u.userkey AS userKey,
a.name AS accName
FROM
account_entitlements1 ae
left join accounts a on a.accountkey = ae.accountkey
left join role_user_account rua on rua.accountkey = a.accountkey
left join users u on rua.USERKEY = u.USERKEY
left join user_accounts ua on u.userkey = ua.userkey
left join roles r on rua.ROLEKEY = r.ROLEKEY
left join role_entitlements re on r.rolekey = re.rolekey
left join entitlement_values ev on re.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY
where
ae.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY
and ae.ACCOUNTKEY = ua.accountkey
and r.ROLE_NAME != CONCAT(u.CUSTOMPROPERTY17, '_', u.JOBCODE)
and r.roletype = '4'
and a.status in ('1', 'Active', 'MANUALLY PROVISIONED')
and find_in_set(r.rolekey, ae.assignedfromroles) > 0
and ae.ASSIGNEDFROMROLES not like '%,%'
and a.endpointkey = '<endpoint key>';