Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Endpoint Filter in AD connector

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 25 2020 at 10:38 UTC

Hi Team,


I am using Saviynt V5.5 & created endpoints for O365 & AD under single Security System. I have configured the same under Endpoint filer also,


I want to import only entitlements related to O365.


Please suggest how to achieve this.


Thanks,

Sitarasmi

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
4 REPLIES 4

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 26 2020 at 15:48 UTC

Which one is primary and secondary endpoint ?


In a security system there is one primary endpoint and others are its child(secondary) endpoints.


e.g.

Here AD Endpoint is Primary endpoint and Salesforce AD-Application and Box AD-Application are child endpoints.

We define specific child endpoint (applications) entitlements as shown below


{

"Salesforce AD-Application":[

{

"memberOf":[

"CN=SFDC_Admin,OU=ActiveGroups,DC=abc,DC=com",

"CN=SFDC_Users,OU=ActiveGroups,DC=abc,DC=com"

]

}

],

"Box AD-Application":[

{

"memberOf":[

"CN=Box_Admin,OU=ActiveGroups,DC=abc,DC=com",

"CN=Box_Users,OU=ActiveGroups,DC=abc,DC=com"

]

}

]

}


Please elaborate your requirement.


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 26 2020 at 16:08 UTC

Hi Pramod,


AD is primary & O365 is secondary. There are other secondary endpoints like internet/VPN etc. I have created all the respective endpoints inside one Security system for AD.


Now, I am facing issue while assigning users to respective groups for child entitelment.


for eg - I want to assign user to internet group based on the division - configured below technical rule


If Users.Division = 'IT'
Then
Assign InternetDev::memberOf - CN=DEV_BoC Internet - IT Ops


This is the child endpoint group for internet , but user is not getting assigned to this group.


When I try with AD primary endpoint mapping, user gets added to the group.

AD::memberOf - CN=DEV_BoC Internet - IT Ops


Could you please guide how to add user to child entitlement group.


Thanks,

Sitarasmi


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 30 2020 at 07:32 UTC

Here you need to define "Create Account" action also in your technical rule, so if user doesn't have an account at secondary endpoint then first it will create account (actually it doesnt provision account on target system its just a marker account in SSM to manage the relationship)


Try below sample technical rule


Here Salesforce AD-Application is secondary endpoint.


If Users.Location EQUALS "UST"
Then
Create Account on Salesforce AD-Application
AND Assign Groups::CN=SFDC_Users,OU=ActiveGroups,DC=savpoc,DC=com

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 30 2020 at 15:39 UTC

Hi Pramod,


Thank you very much for this. Its working.


Just a quick query - While I am updating user's division from A- B - I want Access related to A be removed & Access for B is granted.


I have configured update rule based on division change & I am calling UpdateAccount task for AD (Primary) as well as internet (Secondary) endpoint.


Is it fine ? or only update account task for AD should be there.


Also, its not revoking the old division access, adding new division access only.


Can you please provide inputs on this.


Thanks in Advance.


Regards,

Sitarasmi


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.