Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/23/2024 02:48 PM
How to automatically assign an AD group when someone requests for an application account?
I thought of adding the AD group under 'Entitlements with New Account' but if I add it that way the AD group would be assigned also via Birthright. The requirement is to assign it only when someone requests for an application account
Please let me know. Thank you
05/23/2024 09:52 PM
You can add default entitlement under Entitlement Map.
05/24/2024 04:05 AM
Hi @rushikeshvartak,
I need to assign an AD group when someone requests for an application let's say Hyperion. How can I do it?
05/24/2024 08:08 PM - edited 05/25/2024 08:13 PM
Any idea on how I can implement this use case? Can I do it via Analytics (Provision Access) if the arstasks.source = 'REQUEST'? If yes, what are the things I need to pass to Provision Access via Analytics. Can you guys please give me a sample
Basically, I need to assign certain AD Group to the user if they request for an application (example: Hyperion) account. I don't want to put the AD Group under 'Entitlements with New Accounts' because that way AD group would be assigned also via Birthright
05/27/2024 06:12 AM
@Thriller you can create Actional report based endpoint, if any account request have in pending list then trigger analytic create task like
https://forums.saviynt.com/t5/identity-governance/add-access-actionable-analytics/m-p/66629
Refrence sample query we done some application enable condition based we created add access task :
select distinct a.accountkey AS 'acctKey', '496220' AS 'entvaluekey', a.accountid, a.comments as "Addl Info", u.userkey as 'userKey', u.username AS USER, a.name as accName, u.FIRSTNAME, u.LASTNAME, u.EMAIL AS USER_EMAIL, SYSDATE() AS RUNTIME, 'provisionaccess' as 'Default_Action_For_Analytics', a.endpointkey from users u, user_accounts ua, accounts a, account_entitlements1 ae where a.status in ('ACTIVE','Manually Provisioned','1') and u.userkey = ua.userkey and ua.accountkey = a.accountkey and a.accountkey=ae.accountkey and a.endpointkey in (select endpointkey from endpoints where endpointname ='ISC AD') and u.userkey in (select userkey from arstasks where endpoint in (select endpointkey from endpoints where endpointname ='ORBXXX') AND TASKTYPE = 6 AND STATUS in ('1'));
05/28/2024 01:37 PM - edited 05/28/2024 01:42 PM
Hello,
I added in below code and I was able to generate an 'Add Access' task for AD
select distinct u.username, a.accountkey as acctKey, 'Provision Access' as Default_Action_For_Analytics, a.name as accName, u.userkey as userKey, 171674 as entvaluekey from users u, user_accounts ua, accounts a, arstasks ar where u.userkey = ua.userkey and ua.accountkey = a.accountkey and a.ARSTASKKEY = ar.TASKKEY and a.endpointkey = 140 and a.status in (1, 'Manually Provisioned') and ar.SOURCE = 'REQUEST'
However, I wasn't able to provision the access for AD for the one generated via Analytics. (Task ID: 342830)
I generated 'Add Access' task for the same entitlement via request, and it got completed successfully. (Task ID: 342843)
Do you happen to know the reason why it didn't complete for the one generated via Analytics? Am I missing something?
06/02/2024 05:07 AM
@Thriller Looks same two task same Ad Group , firstgroup it got completed, second task already group added respected user, so it will no action required error expected olny.
05/27/2024 09:46 PM
I need to assign an AD group when someone requests for an application let's say Hyperion. How can I do it?
As mentioned above using Entitlement Map
05/30/2024 08:01 AM
Hi @rushikeshvartak
I don't understand how this works. I need an AD group provisioned for the user whenever a new account gets created via ARS request for Hyperion
06/03/2024 10:39 PM
Can you share logs
05/29/2024 04:30 AM
Hello,
I added in below code and I was able to generate an 'Add Access' task for AD
select distinct u.username, a.accountkey as acctKey, 'Provision Access' as Default_Action_For_Analytics, a.name as accName, u.userkey as userKey, 171674 as entvaluekey from users u, user_accounts ua, accounts a, arstasks ar where u.userkey = ua.userkey and ua.accountkey = a.accountkey and a.ARSTASKKEY = ar.TASKKEY and a.endpointkey = 140 and a.status in (1, 'Manually Provisioned') and ar.SOURCE = 'REQUEST'
However, I wasn't able to provision the access for AD for the one generated via Analytics. (Task ID: 342830)
I generated 'Add Access' task for the same entitlement via request, and it got completed successfully. (Task ID: 342843)
Do you happen to know the reason why it didn't complete for the one generated via Analytics? Am I missing something?
Hello,
I added in below code and I was able to generate an 'Add Access' task for AD
select distinct u.username, a.accountkey as acctKey, 'Provision Access' as Default_Action_For_Analytics, a.name as accName, u.userkey as userKey, 171674 as entvaluekey from users u, user_accounts ua, accounts a, arstasks ar where u.userkey = ua.userkey and ua.accountkey = a.accountkey and a.ARSTASKKEY = ar.TASKKEY and a.endpointkey = 140 and a.status in (1, 'Manually Provisioned') and ar.SOURCE = 'REQUEST'
However, I wasn't able to provision the access for AD for the one generated via Analytics. (Task ID: 342830)
I generated 'Add Access' task for the same entitlement via request, and it got completed successfully. (Task ID: 342843)
Do you happen to know the reason why it didn't complete for the one generated via Analytics? Am I missing something?