Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

Security system and endpoints best practice

Rishi
Saviynt Employee
Saviynt Employee

on ‎07/17/2023 11:09 AM

Short Description

This article describes the best practices for security system and endpoint


Applicable version

All version


Detail best practice

Security System

  • Provisioning Limits should be set for “Disable” and “Delete” Task types for all Security systems to avoid any accidental (because of bad data) bulk disable/delete of objects. By default, if not set, it is 5000

Note: This can be configured at the Security System using “Provisioning Threshold” config

  • Provide the "number of tries for provisioning" value, based on your requirement. Providing maximum value of 20 means that the task will remain pending for a long time. 
  • Instant Provisioning should be enabled for at least the Security Systems for which you have a business use case related to “Password Change”. Note - instant provisioning does not perform retries so in case there is a requirement to perform provisioning retries then also configure Wsretry job

Endpoint

  • For onboarding disconnected applications, ensure there is an Provisioning Owner (available from v2021 onwards) added at the endpoint level. This will ensure that the owner will be able to manually complete the tasks from the Pending Tasks list in ARS
  • Define an owner who maintains the details of the endpoint
  • Store data in the customproperties based on the size of the data 
    • CUSTOMPROPERTY1 - 30: varchar 255
    • CUSTOMPROPERTY31 - 45: tinytext
  • While using SQL query to generate account name, use optimized SQL queries to avoid performance impacts
  • Dynamic attributes can also be used for performing complex logic like in case there is a complex logic needed within connector then that can be configured as a dynamic attribute and then referred in connector. For example - AD account to be provisioned to different OU based on say location and this account to be provisioned via a Technical rule. Solution can be to implement a dynamic attribute to calculate OU i.e ${provOU} and use this dynamic attribute in Connection JSON.

A SQL query can be updated in value and default value fields of dynamic attribute, refer below example

select case when ${Location}='India' then 'OU=India,DC=saviynttestlab,DC=com' when ${Location}='China' then 'OU=China,DC=saviynttestlab,DC=com' else 'OU=General,DC=saviynttestlab,DC=com' END as ID;

The generated OU can be used in the accountnamerule on the AD connector to create the full DN for provisioning.

CN=${user.firstname} ${user.lastname},${provOU}

 

Key Benefit 

Improved performance and ease of maintenance


Reference documentation

https://docs.saviyntcloud.com/bundle/SSM-Admin-v55x/page/Content/Chapter04-Onboarding-and-Managing-A...

https://docs.saviyntcloud.com/bundle/SSM-Admin-v55x/page/Content/Chapter04-Onboarding-and-Managing-A...

0 Kudos
Version history
Last update:
‎06/30/2023 09:52 AM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC