Multi-Level Role Inheritance Reporting for Audit Dashboard Using Database Views

Not applicable

3 weeks ago

Hi All,

 

I am working on a dashboard to audit roles assigned to users where the role name contains the “admin” keyword, and I need suggestions for handling multi-level role inheritance from sys_user_role_contains.

 

Example:

  • User added to Group A
  • Group A has Role X
  • Role X contains multiple child roles
  • Those child roles contain more roles

Since Database Views are not recursive, what is the best approach to report complete inherited role hierarchy for audit dashboards?

 

Are people using:

  • fixed-level DB views,
  • Script Includes with recursion,
  • or some other approach?

Would appreciate suggestions from anyone who has implemented something similar.

  • 1,004 Views
6 REPLIES 6

Philippe Casidy
Tera Guru
In response to Community Alums

2 weeks ago

Hi @Community Alums ,

 

I understand a bit better. Can you provide an example of the result you want?


In the meantime, if you have the Security Center installed and updated, you should be able to see the following scan:

/nav_to.do?uri=scan_script_only_check.do?sys_id=81e964ebeb8dc610dfdff07fbad0cd94

It should be easy to make a new one that will give you the list of users when the role.name contains 'admin'.
Then you should be able to report on the scan results.

Well, I am not sure if you want to list the users who have a role with "admin" or the roles that would contain an "admin" role.

 

Regards,
Philippe

0 Helpfuls

shruti758865
Tera Contributor
In response to Philippe Casidy

yesterday

Hi Philippe,

 

Thank you for the clarification.

 

I am looking for the list of users who have roles where the role name contains “admin.”

 

For audit purposes, I also need to identify how each role was assigned to the user, such as:

 

Direct role assignment

Role inherited through a group

Role inherited through a group role

Role-to-role inheritance

 

Ideally, I would like to see the full inheritance path directly in the report or scan results, instead of having to open the inheritance map for each user manually.

 

Please let me know if this can be achieved through a Security Center scan or if a custom scan/report would be the best approach.

 

Regards,

Shruti

0 Helpfuls