Understanding Saviynt IGA Database Relationships – A Developer’s Guide
Saviynt Identity Governance & Administration (IGA) is a powerful platform, but one of the trickiest parts for developers is navigating its relational database schema. If you’re writing analytics queries, building custom reports, or troubleshooting provisioning issues, knowing the relationships between users, accounts, entitlements, roles, and endpoints is essential.
1. Core Building Blocks
Saviynt’s IGA schema revolves around these main entities:
| Table | Purpose | Key Columns |
|---|---|---|
| users | Identity repository for people in Saviynt | USERKEY, USERNAME, EMAIL, FIRSTNAME, LASTNAME, MANAGER |
| accounts | Technical/system accounts across applications/endpoints | ACCOUNTKEY, ACCOUNTID, NAME, ENDPOINTKEY |
| user_accounts | Mapping table that links identities to accounts | USERKEY, ACCOUNTKEY |
| endpoints | Applications/systems managed in Saviynt | ENDPOINTKEY, ENDPOINTNAME, SECURITYSYSTEMKEY |
| account_entitlements1 | Mapping between accounts and entitlements | ACCENTKEY, ACCOUNTKEY, ENTITLEMENT_VALUEKEY |
| entitlement_values | Repository of all entitlements (groups, roles, permissions) | ENTITLEMENT_VALUEKEY, ENTITLEMENT_VALUE, ENTITLEMENTTYPEKEY |
| roles | Business or technical roles in Saviynt | ROLEKEY, PARENTROLES |
| role_entitlements | Mapping between roles and entitlements | ROLEKEY, ENTITLEMENT_VALUEKEY |
Important: Users do not directly map to accounts – they must go through user_accounts.
Similarly, entitlements are connected through account_entitlements1 or role_entitlements.
2. How the Tables Connect
- Users ↔ Accounts via
user_accounts - Accounts ↔ Entitlements via
account_entitlements1 - Accounts ↔ Endpoints via
ENDPOINTKEY - Roles ↔ Entitlements via
role_entitlements
3. Example Queries
A) Users with Accounts in a Specific Endpoint (e.g., Active Directory)
SELECT u.USERNAME, u.FIRSTNAME, u.LASTNAME, a.ACCOUNTID, e.ENDPOINTNAME
FROM users u
JOIN user_accounts ua ON u.USERKEY = ua.USERKEY
JOIN accounts a ON ua.ACCOUNTKEY = a.ACCOUNTKEY
JOIN endpoints e ON a.ENDPOINTKEY = e.ENDPOINTKEY
WHERE e.ENDPOINTNAME = 'Active Directory';
B) Users and Their Account Entitlements
SELECT u.USERNAME, a.ACCOUNTID, ev.ENTITLEMENT_VALUE, et.ENTITLEMENTTYPEKEY
FROM users u
JOIN user_accounts ua ON u.USERKEY = ua.USERKEY
JOIN accounts a ON ua.ACCOUNTKEY = a.ACCOUNTKEY
JOIN account_entitlements1 ae ON a.ACCOUNTKEY = ae.ACCOUNTKEY
JOIN entitlement_values ev ON ae.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY
JOIN entitlement_types et ON ev.ENTITLEMENTTYPEKEY = et.ENTITLEMENTTYPEKEY
WHERE u.USERNAME = 'jdoe';
C) Roles and Their Entitlements
SELECT r.ROLEKEY, r.PARENTROLES, ev.ENTITLEMENT_VALUE
FROM roles r
JOIN role_entitlements re ON r.ROLEKEY = re.ROLEKEY
JOIN entitlement_values ev ON re.ENTITLEMENT_VALUEKEY = ev.ENTITLEMENT_VALUEKEY;
4. Visual Recap
You can render this relationship diagram using Mermaid.js (if your blog supports it):
Here’s how to think about the relationships:
users → user_accounts → accounts → endpoints
accounts → account_entitlements1 → entitlement_values
roles → role_entitlements → entitlement_values
Comments
Post a Comment