Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:17 PM
Hello,
Is it possible to assign existing Active Directory groups to new AD accounts provisioned through Saviynt? If so, is it possible to assign these AD groups based on what the user's employee type is in Saviynt?
Thanks,
Aundre
Solved! Go to Solution.
04/12/2022 02:53 PM
Hi Aundre,
Could you please elaborate this in brief.
Regards
Nikita
04/12/2022 02:53 PM
Hi Nikita,
Yes, I am trying to assign users to active directory groups. Flow should be like below.
User is created in Saviynt -> AD account creation task runs-> in Active directory they are assigned a security group based on what their employee type is in Saviynt.
Thanks,
Aundre
04/12/2022 02:53 PM
Can anyone provide some guidance here?
04/12/2022 02:53 PM
Aundre,
From what I can understand, This looks like an issue that can be solved using Technical Rules.
Regards,
Avinash Chhetri
04/12/2022 02:53 PM
Hi Avinash,
Technical Rules wouldn't apply here. This is something that would need to be applied at Active Directory account creation time, assigning an active directory group to a user. It must be through the connection, but the question is how do you that? The documentation doesn't provide any guidance.
04/12/2022 02:53 PM
Hi Aundre,
You'd said "User is created in Saviynt -> AD account creation task runs" which made me think/point towards a Technical rule.
Will the AD account be raised as a request instead ?
Rgards,
Avinash Chhetri
04/12/2022 02:54 PM
The issue isn't with creating an AD account, that works fine. I'm looking for guidance on assigning an existing active directory group at the time the account is created. Can this be done? If it can is it possible to assign groups based on the Employee type?
04/12/2022 02:54 PM
Hi Aundre,
The reason I'm asking whether it is a request or not is because (creation of) request and tasks are two different processes in Saviynt.
Creating an AD account is possible, both as a request or a task, and I am not sure which one you are using.
Now, getting back to your question.
1) Through a Technical Rule it is possible to assign an entitlement based on a user attribute.
2) Through a Request, this is not possible. You can use access queries filter to restrict what to show/hide as entitlements at the time of request but not auto select any entitlements.
There is a config at the endpoint level, "Entitlements With New Account" that will allow you to assign an entitlement with new accounts automatically, again that would be for all users and not based on any specific user attributes.
Regards,
Avinash Chhetri
04/12/2022 02:54 PM
We are creating AD accounts through tasks. So I see that entitlements can be imported groups. So you are saying it would be possible to use a technical rule to assign one of these entitlements to a user based on a user attribute, in our case we want to use Employee Type, contractors get certain entitlements and regular employees would get another.
04/12/2022 02:54 PM
Hi Aundre,
Can you elaborate the process when you say "We are creating AD accounts through tasks" ?
Regards,
Avinash Chhetri
04/12/2022 02:54 PM
We import users via Workday. We have a technical rule that detects these imported users and then creates various tasks to create an ad, exchange, and zoom account. We then run a job to complete these tasks.
Can you confirm if we can create a technical rule to assign an entitlement to the user?
04/12/2022 02:54 PM
Yes Aundre, Technical Rules can be used to assign entitlements.
The "Condition" section can be used to configure the user attribute conditions and the "Action" can be an entitlement addition.
Please check the documentation link for Technical Rules.
https://saviynt.freshdesk.com/a/solutions/articles/43000431680
Regards,
Avinash Chhetri
04/12/2022 02:54 PM
Hi Avinash,
The documentation mentions you can select Endpoint or EndpointName::EntitlementType however neither of these options are available when I search for them. Any ideas?
Thanks,
Aundre
04/12/2022 02:54 PM
Aundre,
The endpoint is the name of the endpoint, like Active Directory.
Here's a sample of "How To" create an account and assign entitlements in a technical rule.
Regards,
Avinash Chhetri
04/12/2022 02:54 PM
So the only option I have is Active Directory::Groups and not member of.
04/12/2022 02:54 PM
Aundre,
You are seeing Groups because the entitlementType you have for AD, has a display name as Groups, the actual entitlementType for AD is still memberof.
You can view this from Endpoints > Entitlement Types and clicking on the icon highlighted.
Do you have any entitlements reconciled as part of this endpoint and are they active ? If Yes, then these should show up as shown.
Regards,
Avinash Chhetri
04/12/2022 02:54 PM
Thanks Avinash, the entitlement had no status. After updating this to Active it is now working. You can close this.