AnsweredAssumed Answered

Filtering specific accounts from a User Access Review

Question asked by William May on Aug 3, 2017
Latest reply on Aug 8, 2017 by William May

I am looking for a way to filter out certain accounts from a User Access Review or have them assigned to different reviewers.

 

The situation is that I have a User Access Review that contains user owned accounts from about 80 different applications that are being reviewed by the User's Manager. However, in one such application I have a unique way of managing service accounts. The service account is mapped to the owner of that account, and a custom attribute is set to flag it as a service account. These accounts need to be reviewed by the Owner themselves (not the manager of the owner), and therefore, I need a way to exclude them from the review, and create a separate review definition, or I need a way to have a subset of accounts reviewed by the owner vs the manager.

 

For the latter approach, I looked into using a coverage file, however, I'm unaware of being able to dynamically assign a reviewer to an account without creating a coverage file entry for each and every account. Sample SQL below, where "dynamic statement" would pass the account ID during runtime. This not possible to my knowledge.

 

User_ID=(SELECT User_ID from T_Av_User_Account_Mappings where ADC_ID='1234' and deletion_date is null and state='VA' and Is_deleted_user='n' and account_ID=(dynamic statement))

 

That being said, I think I'm left with excluding these accounts from the UAR definition and creating a separate definition to handle the "self review" assignment. However, if I apply the filter at the User Selection phase, it would filter out ANY accounts owned by that user. Alternatively, if I try and write some complex Group/App-role/Ent filtering criteria, it would filter out any entitlements assigned to those and any other accounts assigned that same entitlement that I don't want filtered out.

 

Any clever suggestions?

 

Running on 7.0.1 P02_HF08

Outcomes