Date of inclusion of users in roles (RBACs)

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hello,
I’m trying to identify the date that employees were included in a role in order to measure the number of accesses automatically provisioned via RBACs.

I would like to know if there is any search or script to collect this data.

It would also be interesting to have something that when I inform the role that I need to know how many accesses were provisioned through it automatically.

2

Unfortunately, there is no direct information about identifying the exact date employees were included in a role or measuring the number of accesses automatically provisioned via Role-Based Access Controls (RBACs). The search results do not contain specific scripts or search queries to collect this data.

However, some related information can be gleaned from the role and access request data structures:

  1. Roles have a ‘created’ and ‘modified’ datetime field, which could give some indication of when the role was set up or last changed.

  2. Access requests for roles include a ‘created’ datetime field, which could indicate when a user was granted access to a role.

  3. The AccessRequestAdminItemStatus object contains information about access requests, including the request type (which could be role-based) and creation date. To find out how many accesses were provisioned automatically through a specific role, you might be able to use the following information:

  4. The RoleDocument object contains an ‘access_profile_count’ field, which indicates the number of access profiles included in the role.

  5. It also has an ‘entitlement_count’ field, showing the number of entitlements granted by the role that aren’t associated with access profiles.

  6. The RoleInsightsSummary object provides some aggregate data, including ‘entitlements_included_in_roles’ and ‘identities_with_access_via_roles’, which could give you an overall picture of role-based access across your organization.

To get more detailed or specific information about automatic provisioning through roles, you would likely need to use a combination of API calls and custom scripting to aggregate and analyze the data from these various objects. The exact method would depend on the specific details you need and the structure of your organization’s role and access setup in SailPoint.