ChrisPope (Customer) asked a question.
Hello All,
I am trying to determine which RBAC Role(s) were included in the execution of the Role Missing Entitlements rule which created a Change Request. Meaning, if I start from the PV_CHANGE_REQUEST_DETAIL view for a request created from the Role Missing Entitlements rule, how can I tell which RBAC Role(s) were included in the execution of the Role Missing Entitlements rule? I need to take into consideration if multiple RBAC Roles were included in the rule-execution and relate those to the corresponding rows on the PV_CHANGE_REQUEST_DETAIL view.
To clarify, for requests that are not created from the Role Missing Entitlements rule, I can get what I need from this SQL:
select rl.MEMBER_TYPE
from AVUSER.PV_CHANGE_REQUEST crq
join AVUSER.VW_CHANGE_REQUEST_DETAILS crd on crq.ID = crd.CHANGE_REQUESTS_ID
left join AVUSER.PV_USER_ACCOUNT_MAPPING uam on crd.OPERAND_ID = uam.ACCOUNT_ID and crd.AFFECTED_USER_ID = uam.USER_ID
left join AVUSER.PV_ROLE rl on crd.PARENT_ENT_ID = rl.ID
where crd.ID = ${jobUserData_ChangeRequestItem.ItemId}
But for requests which are created from the Role Missing Entitlements rule, the crd.PARENT_ENT_ID columns is NULL, so this doesn't work.
Thanks for any and all help!
Hi Chris,
Is the rule you execute dynamic in the sense of it calculates which roles to include? Or will it just execute for any role in your system?
I don't have any samples at hand.. But I think in the rule execution details there are statistics about the number of roles included during execution, violations found etc. Following that track maybe you can find some more details about how that was calculated..
But to be honest I've never retrieved that data..
Yep, I did look at T_AV_RULE_EXECUTION_DATA but I cannot see a way to relate those rows back to the request. If I start with the request, how can I determine what Rule execution created the rows on the PV_CHANGE_REQUEST_DETAILS table?
Hi @TimWillemstein2 (Customer), we edit the rule before execution to run against a specific Role or set of Roles. But I need to determine in the Fulfillment Workflow which Role was included in the Rule execution. I added the SQL I am using in the Workflow to help explain what I am doing. It works for requests that are User submitted and when using the Add Members button within Roles. But it doesn't work for requests created by the Role Missing Entitlements rule.
This is related to the effort I am working on to cancel change-items for Accounts that shouldn't get the access within the Role: Adding AD Groups to Roles with Members Whom Have Multiple Accounts in the Domain Results in | RSA Community
Interesting case, you could always retrieve the rule content from the database. It's in some kind of XML formatting on the table t_av_rules in the column: implementation. Ideal no, but it should tell you which roles were included in your role execution. With some XML parsing you should be able to retrieve what you need.
I had thought of that but (1) there is the possibility that there are multiple Roles included in a single execution of the Rule or (2) there could be multiple executions of the Rule within a short timeframe, such as minutes. These scenarios could result in using the wrong Role for the request and workflow.
Hmm yes I see the issue with that logic... I had a look on the database and I cannot see the correlation to the change request from the parent rule at a glance..
On the monitoring tab for the rule execution I can only see the number of violations etc. but not content..
I get the feeling that these violations are posted with something similar to the webservice API and it just creates a request without creating a link to the calling object in this case the Rule.
Im taking a long shot here.. what if you add something with a rule post processor? That post processor captures the rule execution data and replicates it somewhere for your use and takes the run id of the execution into account so you can have some kind of traceability..
Hmmm...I am not familiar with rule post processors.