and more in a single search tool across platforms. Read the announcement here. |
on 05/01/2023 07:11 AM
Using actionable analytics to provision and de-provision assignments of SAV Roles.
The example provided is for ROLE_MANAGER, but the same can be used for other SAV Roles with some minor updates to the SQL to change the conditions.
Parameter | Description |
Analytics Name | Sav Role Assignment (ROLE_MANAGER) |
Analytics Query | select distinct u1.USERNAME, u1.FIRSTNAME,u1.LASTNAME,u1.EMAIL, case when u1.STATUSKEY=1 then 'Active' when u1.STATUSKEY=0 then 'Inactive' end as UserStatus, u4.NAME,u5.ENDPOINTNAME,u6.ENTITLEMENTNAME,u7.ENTITLEMENT_VALUE, 'Provision Access' as Default_Action_For_Analytics, u7.ENTITLEMENT_VALUEKEY as entvaluekey, u4.ACCOUNTKEY as acctKey, u4.NAME as accName, u1.USERKEY as userKey from users u1 join user_accounts u3 on u1.USERKEY=u3.USERKEY join accounts u4 on u3.ACCOUNTKEY=u4.ACCOUNTKEY join endpoints u5 on u4.ENDPOINTKEY=u5.ENDPOINTKEY join entitlement_types u6 on u5.ENDPOINTKEY=u6.ENDPOINTKEY join entitlement_values u7 on u6.ENTITLEMENTTYPEKEY=u7.ENTITLEMENTTYPEKEY where u1.userkey in (SELECT DISTINCT MANAGER FROM users) and not exists ( select distinct usr1.USERKEY from user_savroles usr1 join savroles usr2 on usr1.ROLEKEY=usr2.ROLEKEY where usr2.ROLENAME='ROLE_MANAGER' and usr1.USERKEY=u1.USERKEY ) and u5.ENDPOINTNAME='SSM' and u6.ENTITLEMENTNAME='SAVRole' and u7.ENTITLEMENT_VALUE='ROLE_MANAGER' and u1.statuskey=1 and u7.status=1; |
Description | For all managers add the default ROLE_MANAGER SAV Role |
Allowed Action | Provision Access |
Category | Sav Role Assignment Automation |
Sub Category | SAV Roles |
Risk | Low |
Context | None |
Parameter | Description |
Analytics Name | Sav Role Revocation(ROLE_MANAGER) |
Analytics Query | select distinct u1.USERNAME, u1.FIRSTNAME,u1.LASTNAME,u1.EMAIL, case when u1.STATUSKEY=1 then 'Active' when u1.STATUSKEY=0 then 'Inactive' end as UserStatus, u4.NAME,u5.ENDPOINTNAME,u6.ENTITLEMENTNAME,u7.ENTITLEMENT_VALUE, 'Deprovision Access' as Default_Action_For_Analytics, u7.ENTITLEMENT_VALUEKEY as entvaluekey, u4.ACCOUNTKEY as acctKey, u4.NAME as accName, u1.USERKEY as userKey from users u1 join user_accounts u3 on u1.USERKEY=u3.USERKEY join accounts u4 on u3.ACCOUNTKEY=u4.ACCOUNTKEY join endpoints u5 on (u4.ENDPOINTKEY=u5.ENDPOINTKEY and u5.ENDPOINTNAME ='SSM') join entitlement_types u6 on (u5.ENDPOINTKEY=u6.ENDPOINTKEY and u6.EntitlementName ='SAVRole') join entitlement_values u7 on (u6.ENTITLEMENTTYPEKEY=u7.ENTITLEMENTTYPEKEY and u7.entitlement_Value ='ROLE_MANAGER') where not exists (SELECT MANAGER FROM users where manager = u1.userkey) and u1.userkey in ( select usr1.USERKEY from user_savroles usr1 join savroles usr2 on (usr1.ROLEKEY=usr2.ROLEKEY and usr2.RoleName = 'ROLE_MANAGER') ); |
Description | Remove Sav Role for Managers if users are no longer managers |
Allowed Action | Deprovision Access |
Category | Sav Role Assignment Automation |
Sub Category | SAV Roles |
Risk | Low |
Context | None |
Parameter | Description |
Job Name | SAV_ROLES_ASSIGNMENT_AUTOMATION |
Job Type | Run all Analytics-v2 (AnalyticsESJob) |
Analytics Categories | Sav Role Assignment Automation |
Analytics Subcategories | SAV ROLES |
Execute Default Action for Analytics | Checked |
Cron Expression | Either include as part of a chain job or schedule individually as per the customer's requirement. |
We are on 23.12 and no SAV roles (custom or ootb) show up in entitlement_values. We also do not have an endpoint named 'IGA'. Is this normal or is this no longer possible in 23.12?
When Deprovision an savrole why do we need to pass the entitlement value key to what is the reason for that?
@void0703 @JohnLawson You need to first configure Saviynt for Saviynt from Global Configuration to make it work. Once you configure it from the Global configuartion, it will import your SAVRole as entitlement. Then only you can use this feature.
@puneetkhullar Does it require setting up a SAV4SAV connection or just enabling the configuration allowing SAV4SAV?
Are there documents on importing the SAVRoles if a connector is required?
Thank you!
Once you try to enable Saviynt For Saviynt, this screen appears. How do we need to configure it?
Besides, what are the consequences of activating it? I say this because of the message that appears that it cannot be disabled. I'm trying in QA but then we will move to production and do not know if we want to configure the system like that.
Is there no other way to do that?
Thank you in advance.