Entitlement Optimization Browse entitlements

Use the views and filters in this window to see the activity level of entitlements, and the lineage of the entitlements.

Data is presented in the tab from the first Sunday after you enabled the feature. After the first Sunday, the activities are updated daily.

This information is useful for general entitlement investigation, and to further evaluate recommendations in the Recommendations report. The default view in this window is a bar chart of the datasources with the highest rates of unused privileges.

Entitlement browse shows all the entitlements of the data sources defined in the grdAPI that have extractEntitlement available. This is true if the activity collection is off, and if the user scope and object scopes are defined. You can always search and see the permissions of all the users.

The activity count field results are affected by the userScope parameter, as follows:

Users that are included in the userScope:
- Active users appear green and have numerical results in the activity count column
- Non-active users appear red and the activity count is "Not active"
Users that are not included in the userScope:
- Active users appear green and have numerical results in the activity count
- Non-active users appear gray and the activity count is "unknown"

Typical investigations are:

Determine which objects a user has permissions for and whether he uses them
Determine whether a user utilized his permission on an object at the specific time it was permitted
Are there permissions that are used more than expected?
Are there permissions that are used only once?
What is the lineage of the permissions that have been unusually utilized: explicit, or implicit, inherited from a parent role, or role hierarchy?

To get more details on how a specific privilege is used, with full SQL, you can search for Data Activity (Investigate > Search for Data Activity), right-click the DB User or Source program in the Results Table, and select Full SQL by DB User.

Unused entitlements are typically one of:

Action rarely performed, but a valid entitlement, for example generating a quarterly report
Unused and therefore not justified (point of vulnerability)

To view entitlement usage on a specific service on a specific server:

On the left side, select a server IP and service.
Filter by one or more of: Name, Object Name.
Optionally enter a Verb or date range.

Figure 1. Selecting entitlement criteria

The table presents the Grantee type, Grantee, Verb, Name, Activity count, and Lineage. A user can have multiple privilege lineages: explicit, or implicit, inherited from a parent role, or role hierarchy.