Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Query parameter in Endpoint does not work as specified

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 12:56 PM

Originally posted on June 5 2020 at 11:16 UTC

In nutshell it specified to do following:

"Used to enter the query to filter access and only display this End Point for the allowed identity objects given in the access query."


Used Saviynt version: 5.3.2


Background for our needs:

We use this parameter to limit requesting access to Endpoint for limited group of users while the Endpoint creation is in progress and not finalized yet.

Entitlements under endpoint have accounts connected, especially when these are Active Directory connected Endpoints and there are members already in related AD groups.


Example content of Access Query parameter we use:

WHERE users.email='fname.snamen@company.com' or users.email='aname.lname@business.com'


Description of misfunctioning:

Access Query filter works properly only for users who do not have accounts in entitlements under this endpoint.

For the users who happen to have account in at least one entitlement under this Endpoint will be able to see the Endpoint in Request Access page and also will be able to modify their access, means request new entitlements and remove existing ones.


This is not wanted and this is also not specified in Saviynt documentation.

Also related to same issue, even Disabling of Endpoint does not remove Endpoint from Request Access page for users who have account even in one entitlement under the Endpoint.


Questions:

1. How we can achieve in current Saviynt release that Endpoint is shown only to defined users, despite they have accounts in Endpoint or not.

2. When and to what release of Saviynt will you correct this issue.











This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos
1 REPLY 1

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 01:58 PM

Originally posted on June 5 2020 at 18:12 UTC

Hi Kristiina,


I tested this feature in my implementation of 5.3.2 version, and system is working as expected.

There are active user-accounts (example: a12345) having entitlements in endpoint1, but when the access query config does not include those users (I used something like < where users.username!='a12345' >, then endpoint1 does not show up in 'Request access for others' > 'Application list' for them (for a12345).


Hence I am not sure what other set of configurations is present in your implementation that's causing this issue, but other standard implementations of this version does not have this issue. I would suggest you to try configuring access query with only one user by explicitly disallowing him (like my example above) and test - this will confirm if the configuration is being picked up or not. Then you can tweak the query to your needs and test again.


I also do not see that there is any internal ticket regarding this issue, hence no correction scheduled for any future release.


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos
Copyright © 2024 Khoros, LLC