Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SoD violation with same function

sandeepsingh
New Contributor III
New Contributor III

‎07/20/2023 06:25 AM

Hello All,

We have a scenario for one application that has 10 entitlements (ent1 - ent10) in one group, and if a user is request access or has access to any one of them from the group they cannot request another one from the same group.

So to achieve this we created 1 function with all 10 entitlements with "or" and then added the same function as function1 and function2 of risk. In this case, a fresh user requesting his/her first entitlement as well throws SoD violation. We would like to know how can we fix this.

sandeepsingh_0-1689859399244.pngsandeepsingh_1-1689859506232.png

 

Labels:
0 Kudos
3 REPLIES 3

sai_sp
Saviynt Employee
Saviynt Employee

‎07/24/2023 10:55 AM

@sandeepsingh This can be driven through ARS itself. You would not need SOD.

You can use dynamic attributes in the requests to filter by the group and then you can have only entitlement being requested at once using the 'single select' option in the entitlementtype configurations.

This will restrict users from requesting multiple entitlements from the same group.

0 Kudos

prachi
Regular Contributor II
Regular Contributor II

‎08/07/2023 08:35 AM

Hi @sai_sp ,

I have a similar required as Described and we have multiple ground (around 20 groups) with set of 7-8 entitlement beloning to same group.

User cannot have the accesses from the same group. So would this require me to create 20 different entitlement type? Is that correct?

If thats the case then do we have any alternate approach to achieve this?

Thanks in advance

0 Kudos

sai_sp
Saviynt Employee
Saviynt Employee
In response to prachi

‎08/08/2023 09:10 AM

You can use the same approach I've mentioned above. Use dynamic attributes to select the group and then have a single select drop down for the entitlement type then you will only be able to request for one entitlement from each group.

0 Kudos
Copyright © 2024 Khoros, LLC