Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:05 PM
Hi Team,
I am using Saviynt V5.5 & created endpoints for O365 & AD under single Security System. I have configured the same under Endpoint filer also,
I want to import only entitlements related to O365.
Please suggest how to achieve this.
Thanks,
Sitarasmi
Solved! Go to Solution.
04/12/2022 02:21 PM
Which one is primary and secondary endpoint ?
In a security system there is one primary endpoint and others are its child(secondary) endpoints.
e.g.
Here AD Endpoint is Primary endpoint and Salesforce AD-Application and Box AD-Application are child endpoints.
We define specific child endpoint (applications) entitlements as shown below
{
"Salesforce AD-Application":[
{
"memberOf":[
"CN=SFDC_Admin,OU=ActiveGroups,DC=abc,DC=com",
"CN=SFDC_Users,OU=ActiveGroups,DC=abc,DC=com"
]
}
],
"Box AD-Application":[
{
"memberOf":[
"CN=Box_Admin,OU=ActiveGroups,DC=abc,DC=com",
"CN=Box_Users,OU=ActiveGroups,DC=abc,DC=com"
]
}
]
}
Please elaborate your requirement.
04/12/2022 02:21 PM
Hi Pramod,
AD is primary & O365 is secondary. There are other secondary endpoints like internet/VPN etc. I have created all the respective endpoints inside one Security system for AD.
Now, I am facing issue while assigning users to respective groups for child entitelment.
for eg - I want to assign user to internet group based on the division - configured below technical rule
If Users.Division = 'IT'
Then
Assign InternetDev::memberOf - CN=DEV_BoC Internet - IT Ops
This is the child endpoint group for internet , but user is not getting assigned to this group.
When I try with AD primary endpoint mapping, user gets added to the group.
AD::memberOf - CN=DEV_BoC Internet - IT Ops
Could you please guide how to add user to child entitlement group.
Thanks,
Sitarasmi
04/12/2022 02:21 PM
Here you need to define "Create Account" action also in your technical rule, so if user doesn't have an account at secondary endpoint then first it will create account (actually it doesnt provision account on target system its just a marker account in SSM to manage the relationship)
Try below sample technical rule
Here Salesforce AD-Application is secondary endpoint.
If Users.Location EQUALS "UST"
Then
Create Account on Salesforce AD-Application
AND Assign Groups::CN=SFDC_Users,OU=ActiveGroups,DC=savpoc,DC=com
04/12/2022 02:21 PM
Hi Pramod,
Thank you very much for this. Its working.
Just a quick query - While I am updating user's division from A- B - I want Access related to A be removed & Access for B is granted.
I have configured update rule based on division change & I am calling UpdateAccount task for AD (Primary) as well as internet (Secondary) endpoint.
Is it fine ? or only update account task for AD should be there.
Also, its not revoking the old division access, adding new division access only.
Can you please provide inputs on this.
Thanks in Advance.
Regards,
Sitarasmi