During the EIC2024 in Berlin I had a chat about what data / tables are required to report and analyze some of the classic Identity Governance questions (who has what assigned why, cluster analyzes).
The requirement was to extract/provide this data in an external reporting platform.
Some of the high level requirements
- Data
- Identities
- Organizations
- Organizational Assignments
- Application Roles (Esets)
- Entitlements in Application Roles
- Requests
- Users
- Entitlements
- User <-> Entitlement Relation
- Functionality
- Periodical extraction of the data
- Low footprint to not affect performance
- Low or no need for adoptions if new systems or organizations are onboarded
Based on that my thought was to define what would be the minimum set of tables to extract data and I came up with the following list.
- Person (Identity)
- For Organizational Data
- BaseTree (For all organizational and structural things à Department, Profit Center, Location, ITShop)
- PersonInBaseTree for Secondary Identity <-> Organization Assignments
- OrgRoot
- OrgType
- Products / Assignments
- Eset
- EsetHasEntitlement
- BasetreeHasEset
- AccProduct
- PersonWantsOrg
- For connected Systems
- UNSRoot
- UNSGroup
- UNSAccount
- UNSAccountInUNSGroup
- UNSAccountHasUNSGroup
- SAPUserInSAPRole (as the UNS-Table does not show all relevant information and actual assignments)
Extracting that data would be possible by either copying the contents into shadow tables or by creating a synchronization project writing the data into a staging/shadow database.
It might be necessary to add further data objects to get more details about some entities as especially the UNS* - tables are only views aggregating data.
Any thoughts what might be useful in addition or which other solutions could be thought of?
