000032450 - Filtering by application AND by entitlement or group to create a coverage file in RSA Via Lifecycle and Governance 7.0

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032450
Applies ToRSA Product Set: Via Lifecycle and Governance (L&G)
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0
IssueThis article provides information on how to create a coverage file on the RSA Via Lifecycle and Governance (L&G), filtering by application AND by entitlement or group.  
ResolutionWhen you specify reviewers and monitors in a review definition, you can, as an alternative to choosing reviewers and monitors in the review definition wizard, choose to import:
  • A coverage file that specifies reviewers;
  • A coverage file that specifies monitors;
  • A coverage file that specifies alternative managers who can access reviews assigned to other users; and
  • The review items assigned to each review participant.
The structure entries in a reviewer or monitor coverage file for reviews as follows:
<Reviewer/Monitor Filter>|<Subject Type>|<Subject Filter>|<Object Type>|<Object Filter>|<Privilege>

In our documentation we do not have the example on creating a coverage file that filters on both application and group/entitlement. 
 
Filter a specific entitlement and application DB ID

user_id='<user ID>'|user|1=1|ent|resource_name='ADT-1001001-KP_ADT_FULL_ACCESS' AND APPLICATION_ID='223'|

Filter a specific entitlement and application name
user_id='<user ID>'|user|1=1|ent|resource_name='ADT-1001001-KP_ADT_FULL_ACCESS' 
AND APPLICATION_ID IN (SELECT ID FROM PV_APPLICATION WHERE NAME = 'SecondEpic')|

<Reviewer/Monitor Filter>
Specifies the user attribute value that identifies the reviewer or monitor, such as the user_id=
'<user ID>' in the examples above. This is equivalent to a SQL WHERE clause on the T_MASTER_ENTERPRISE_USERS table.
 
<Subject Type>
A static value that specifies the entity that is reviewed: user, application, group, or a global-role. Our example uses user as a subject type.
 
<Subject Filter>
Specifies the attribute filter on the subject type that specifies a particular set of users, accounts, groups, or global-roles in the system.  For example, user|department=‘finance’ or  group|collector=‘AD_Collector.' You can use the filter, ‘1=1’ to specify all granular entitlements, application roles (app-role), global-roles, groups, accounts, or users.
As examples,

  • For a user, this is equivalent to an SQL WHERE clause on the T_MASTER_ENTERPRISE_USERS table.
  • For an application, this is equivalent to an SQL WHERE clause on the T_APPLICATIONS table.
  • For a group, this is equivalent to an SQL WHERE clause on the T_GROUPS table.
  • For a global-role, this is equivalent to an SQL WHERE clause on the T_AV_ROLES table.
 
<Object Type>
A static value that specifies what is reviewed or monitored: ent (granular entitlement), app-role (application role), global-role (any role type), group (group of users or  accounts), application, and account, and user. In the given example, we use ent as the object type.
 
<Object Filter>
Specifies the attribute filter on the object type that specifies a particular set of granular entitlements, application roles, applications, roles, users, accounts, or groups.  For  example, application|name=‘purchasing’ or global-role|name=‘sales.’
 
In the mentioned examples, since we filter on a specific entitlement and application DB ID or a application name we use the object filter to specify both the attribute filters to achieve the use case.
NotesThis is to resolve the scenario where a group/entitlement name is identical across multiple applications.
For example:

  • Application Epic has entitlement ‘Administrator’
  • Application ACME has entitlement ‘Administrator’
We create a coverage file stating that User 1234 must review anyone with the ‘Administrator’ entitlement, but only for the ACME application.

Attachments

    Outcomes