Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

Configuring the detection of out-of-band access for endpoints

pruthvi_t
Saviynt Employee
Saviynt Employee

on ‎03/02/2023 10:58 AM

Problem statement :

How do you configure the detection of out-of-band access for endpoints.

Context:

Ideally an account is provisioned to a User in one of the following ways :

  1. Through EIC provisioning
  2. In another co-existing Identity and Access Management (IAM) platform
  3. Assigning access directly on the target system

What is out of band access?

An out of band access is access provided to a user account, not from EIC, but access provided from the third-party application. Access given to a user account outside EIC is known as out of band access.

EIC provides an out-of-band access detection functionality that detects and revokes accesses that are assigned by the target system and not EIC.

For example, if there is an access that does not have a Task ID associated with account to entitlement mapping, the above mentioned feature detects that out-of-band access assigned directly in the system or through a co-existing IAM system is not assigned without an audit trail.

Note: You can set the out-of-band access detection configuration at the endpoint level.

EIC enables you to create Deprovision Access or Deprovision Access and Re-create Access Request for the access that is not provisioned through EIC by executing Revoke Out of Band Access Job based on the option selected in Action for Out of Band Access Detection configuration from the Endpoint Details tab (ADMIN > Identity Repository > Security Systems > Endpoints).

Solution :

Perform the following actions to activate the out-of-band access:
1. Bootstrap the existing access at the endpoint. This requires you to update a dummy task key for all the existing account entitlement entries for the endpoint to baseline the current status.

2. Update the endpoint:

  1. Go to ADMIN > Identity Repository > Security Systems > Endpoints.
  2. Select the endpoint for which the out of band access is to be set
  3. In the endpoint details page, you can select from the following options as per the requirement:
  • Deprovision access: Selecting this option will deprovision access for accounts given access other than ARS or through Import.
  • Deprovision access and re-create access request: Selecting this option will deprovision access for accounts given access other than ARS or through Import. In addition, it also creates a recreate access request for such accounts.

3. Run the Revoke Out of Band Access job (RevokeOutOfBandAccessJob) from the Job Control Panel (Admin > Job Control Panel) to revoke the out-of-band access provided to the user.

Note: Deprovisioning tasks are created for the accesses whose task is not present in EIC (empty taskkey in account entitlements table).

 

Comments
rushikeshvartak
All-Star
All-Star
‎05/21/2023 03:55 PM

Dummy taskkey ? What is dummy value ? Is it same for all endpoints 

Version history
Last update:
‎03/02/2023 10:42 AM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC