|Applies To||RSA Product Set: Via Lifecycle and Governance (L&G)|
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0
|Issue||This article provides information on how to create a coverage file on the RSA Via Lifecycle and Governance (L&G), filtering by application AND by entitlement or group.|
|Resolution||When you specify reviewers and monitors in a review definition, you can, as an alternative to choosing reviewers and monitors in the review definition wizard, choose to import:|
<Reviewer/Monitor Filter>|<Subject Type>|<Subject Filter>|<Object Type>|<Object Filter>|<Privilege>
In our documentation we do not have the example on creating a coverage file that filters on both application and group/entitlement.
Filter a specific entitlement and application DB ID
user_id='<user ID>'|user|1=1|ent|resource_name='ADT-1001001-KP_ADT_FULL_ACCESS' AND APPLICATION_ID='223'|
Filter a specific entitlement and application name
Specifies the user attribute value that identifies the reviewer or monitor, such as the user_id='<user ID>' in the examples above. This is equivalent to a SQL WHERE clause on the T_MASTER_ENTERPRISE_USERS table.
A static value that specifies the entity that is reviewed: user, application, group, or a global-role. Our example uses user as a subject type.
Specifies the attribute filter on the subject type that specifies a particular set of users, accounts, groups, or global-roles in the system. For example, user|department=‘finance’ or group|collector=‘AD_Collector.' You can use the filter, ‘1=1’ to specify all granular entitlements, application roles (app-role), global-roles, groups, accounts, or users.
A static value that specifies what is reviewed or monitored: ent (granular entitlement), app-role (application role), global-role (any role type), group (group of users or accounts), application, and account, and user. In the given example, we use ent as the object type.
Specifies the attribute filter on the object type that specifies a particular set of granular entitlements, application roles, applications, roles, users, accounts, or groups. For example, application|name=‘purchasing’ or global-role|name=‘sales.’
In the mentioned examples, since we filter on a specific entitlement and application DB ID or a application name we use the object filter to specify both the attribute filters to achieve the use case.
|Notes||This is to resolve the scenario where a group/entitlement name is identical across multiple applications.|