Entitlement Optimization browse entitlements

Use the views and filters in this window to see the activity level of entitlements, and the lineage of the entitlements.

Data is presented in the tab from the first Sunday after you enabled the feature. After the first Sunday, the activities are updated daily.

This information is useful for general entitlement investigation, and to further evaluate recommendations in the Recommendations report. The default view in this window is a bar chart of the datasources with the highest rates of unused privileges.

Entitlement browse shows all the entitlements of the data sources that are defined in the grdAPI with extractEntitlement set to true. This behavior is true if the activity collection is off, and if the user scope and object scopes are defined. You can always search and see the permissions of all the users.

The activity count field results are affected by the userScope parameter, as follows:

  • Users that are included in the userScope:
    • Active users appear green and have numerical results in the activity count column
    • Nonactive users appear red and the activity count is Not active
  • Users that are not included in the userScope:
    • Active users appear green and have numerical results in the activity count
    • Nonactive users appear gray and the activity count is unknown

Typical investigations are:

  • Identify the objects that the user is authorized to access and if the objects are being used by the user.
  • Assess if the user availed the access rights on the object at the exact time it was allowed.
  • Are there permissions that are used more than expected?
  • Are there permissions that are used only once?
  • What is the lineage of the permissions that are unusually used: explicit, or implicit, inherited from a parent role, or role hierarchy?

To get more details on how a specific privilege is used, with full SQL, you can search for Data Activity (Investigate > Search for Data Activity), right-click the DB User or Source program in the Results Table, and select Full SQL by DB User.

Unused entitlements are typically one of:

  • Action rarely performed, but a valid entitlement. For example, generating a quarterly report.
  • Unused and therefore not justified (point of vulnerability).

You can view the entitlement usage for a specific service on a specific server by specifying the server IP and service name. Optionally, you can specify one of the following fields: user name, object name, verb, date range.

The table presents the Grantee type, Grantee, Verb, Name, Activity count, and Lineage. A user can have multiple privilege lineages: explicit, or implicit, inherited from a parent role, or role hierarchy.