This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
MohammedSouadji
Beginner
Beginner
‎2016-07-19 09:02 AM

[Custom Aveksa Entitlements] View a specific application (or directory)

Jump to solution

Hi,

 

I want to create a new Entitlement that allow to a user to view all account of a specific application (Directory), I do not found Secure Object Type=Account with Action=View, so i want create an Entitlement that allow to a user to view all the application or the directory (just view)

For that i create a SecurityContext.csv file with this entry for active directory accounts

 

SECURE_OBJECT_TYPE,NAME,ACTION,IMPLICIT_HAS_QUERY,IMPLICIT_BS_CHANGE,IMPLICIT_BU_CHANGE,SCOPE_TABLE,SCOPE_FILTER

Directory,View Ad Directory,View,,,,t_applications,lower(name)='active directory'

 

Note: active directory is a directory not an application.

I grant this entitlement to a user but he can not see the directory, it display Error on Directory name

pastedImage_3.png

Can you please explain me how i can create the SecurityContext.csv file

 

Regards.

Reply
1 Solution

Accepted Solutions
VenkataRamanaR1
Moderator Moderator
Moderator
‎2016-07-21 06:32 AM

Jump to solution

I have wrongly suggested to specify scope which caused the entitlement to be scoped to business source and was then getting automatically assigned to users when business source is edited. Please use the below one to achieve what you need (I have removed scope in middle and have changed name as well (there is some issue with creating entitlement of same name that is earlier scoped..))

 

Users will now get this only when explicitly granted to them.

 

Directory,View Active Directory,View,,,,t_applications,lower(scope.name)='active directory'

View solution in original post

Reply
10 Replies
VenkataRamanaR1
Moderator Moderator
Moderator
‎2016-07-19 10:12 AM

Jump to solution

The issue here seems to be with how the query gets constructed to fetch directories when there is a security scope. The column name you have used (name) seem to get into conflict... Try changing the line to below

(adidition of scope and name changed to scope.name) and it should work...

 

(Editing below to correct it)

 

Directory,View Active Directory,View,,,,t_applications,lower(scope.name)='active directory'

Reply
MohammedSouadji
Beginner
Beginner
In response to VenkataRamanaR1
‎2016-07-20 10:37 AM

Jump to solution

Hi Ramana,

 

When i upload the file SecurityContext.csv with

SECURE_OBJECT_TYPE,NAME,ACTION,IMPLICIT_HAS_QUERY,IMPLICIT_BS_CHANGE,IMPLICIT_BU_CHANGE,SCOPE_TABLE,SCOPE_FILTER

Directory,View Ad Directory,View,,scope,,t_applications,lower(scope.name)='active directory'

 

i notice that entitlement are granted to all users and i can not remove it Security Fulfillment Handler Failure

0 Likes
Reply
VenkataRamanaR1
Moderator Moderator
Moderator
In response to MohammedSouadji
‎2016-07-20 11:54 AM

Jump to solution

Hi, All the users? I realized now that i have made a mistake with this suggestion. The scope was used wrongly here...

Can you remove the line from SecurityContext file and reupload it from UI. Does that remove the entitlements from the users? If that does not work, can you give me results of below queries to understand how many users have the entitlement..

 

select * from t_entitlements where action_name = 'View Ad Directory' and RESOURCE_NAME = 'Directory';

 

select count(*) from t_av_explodeduserentitlements where entitlement_id

in (select id from t_entitlements where action_name = 'View Ad Directory' and RESOURCE_NAME = 'Directory')

and entitlement_type = 'ent' and deletion_date is null;

0 Likes
Reply
MohammedSouadji
Beginner
Beginner
‎2016-07-21 05:55 AM

Jump to solution

Hi,

I deleted the SecurityContext.csv file using ui, but the entitlement still in the users

pastedImage_0.png

The entitlement are granted for all used users

pastedImage_1.png

Regards.

0 Likes
Reply
VenkataRamanaR1
Moderator Moderator
Moderator
‎2016-07-21 06:04 AM

Jump to solution

Please use below query to forcefully delete that entitlement from users.. PLEASE MAKE SURE that this only updates 12 rows (as returned by your previous query) before you make a commit.

 

update t_av_explodeduserentitlements set deletion_date = sysdate where entitlement_id

in (select id from t_entitlements where action_name = 'View Ad Directory' and RESOURCE_NAME = 'Directory')

and entitlement_type = 'ent' and deletion_date is null;

Reply
VenkataRamanaR1
Moderator Moderator
Moderator
‎2016-07-21 06:32 AM

Jump to solution

I have wrongly suggested to specify scope which caused the entitlement to be scoped to business source and was then getting automatically assigned to users when business source is edited. Please use the below one to achieve what you need (I have removed scope in middle and have changed name as well (there is some issue with creating entitlement of same name that is earlier scoped..))

 

Users will now get this only when explicitly granted to them.

 

Directory,View Active Directory,View,,,,t_applications,lower(scope.name)='active directory'

View solution in original post

Reply
MohammedSouadji
Beginner
Beginner
‎2016-07-21 08:30 AM

Jump to solution

thank you Ramana, it works for me

0 Likes
Reply
DevikaSunil
Beginner
Beginner
In response to VenkataRamanaR1
‎2017-01-16 05:51 AM

Jump to solution

Hi Venkat,

Would you please let me know what scope_table & scope_filter can be used to customize access to:

1. Reports based on names, scope and filter conditions

2. Reviews based on their names & business source

0 Likes
Reply
VenkataRamanaR1
Moderator Moderator
Moderator
In response to DevikaSunil
‎2017-01-17 05:27 AM

Jump to solution

Please check below videos on how to use the custom security entitlements...

 

Video Link : 21457 

Video Link : 21458 

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.