Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
No ratings
Saviynt Employee
Saviynt Employee

Short Description

This article describes the best practices for security system and endpoint

Applicable version

All version

Detail best practice

Security System

  • Provisioning Limits should be set for “Disable” and “Delete” Task types for all Security systems to avoid any accidental (because of bad data) bulk disable/delete of objects. By default, if not set, it is 5000

Note: This can be configured at the Security System using “Provisioning Threshold” config

  • Provide the "number of tries for provisioning" value, based on your requirement. Providing maximum value of 20 means that the task will remain pending for a long time. 
  • Instant Provisioning should be enabled for at least the Security Systems for which you have a business use case related to “Password Change”. Note - instant provisioning does not perform retries so in case there is a requirement to perform provisioning retries then also configure Wsretry job


  • For onboarding disconnected applications, ensure there is an Provisioning Owner (available from v2021 onwards) added at the endpoint level. This will ensure that the owner will be able to manually complete the tasks from the Pending Tasks list in ARS
  • Define an owner who maintains the details of the endpoint
  • Store data in the customproperties based on the size of the data 
    • CUSTOMPROPERTY1 - 30: varchar 255
    • CUSTOMPROPERTY31 - 45: tinytext
  • While using SQL query to generate account name, use optimized SQL queries to avoid performance impacts
  • Dynamic attributes can also be used for performing complex logic like in case there is a complex logic needed within connector then that can be configured as a dynamic attribute and then referred in connector. For example - AD account to be provisioned to different OU based on say location and this account to be provisioned via a Technical rule. Solution can be to implement a dynamic attribute to calculate OU i.e ${provOU} and use this dynamic attribute in Connection JSON.

A SQL query can be updated in value and default value fields of dynamic attribute, refer below example

select case when ${Location}='India' then 'OU=India,DC=saviynttestlab,DC=com' when ${Location}='China' then 'OU=China,DC=saviynttestlab,DC=com' else 'OU=General,DC=saviynttestlab,DC=com' END as ID;

The generated OU can be used in the accountnamerule on the AD connector to create the full DN for provisioning.

CN=${user.firstname} ${user.lastname},${provOU}


Key Benefit 

Improved performance and ease of maintenance

Reference documentation

Version history
Last update:
‎06/30/2023 09:52 AM
Updated by: