Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 12:54 PM
Below is my scenario:
I have a user who as an enterprise role assigned say Role 1 which contains entitlements A,B & C on Endpoint EP1.
I raised a request for this user through ARS.
It shows me that the use has Enterprise Role Role 1 and allows me to remove it.
But at the same time it also allows me to request for entitlements A,B & C without realizing that those entitlements are already given to the user as part of the role.
Is this expected behavior?
Solved! Go to Solution.
04/12/2022 01:49 PM
Yes this is expected behavior.
04/12/2022 01:49 PM
so I clearly disagree with what the product does. If a user already has the entitlement (even indirectly via an Enterprise Role), ARS should NOT let him request it again
04/12/2022 01:49 PM
Here is one way you can address the issues.
If you have defined enterprise roles to have a role at an endpoint level, then you can go with creating an application role.
Application roles are similar to Enterprise roles with the difference only being specific to an endpoint and are requestable through Request Access feature and not through the 'Request Enterprise Roles'
This would help as the user will only be able to add or remove a role and not the particular entitlements.
You can find details on how to create Application Roles here : https://saviynt.freshdesk.com/a/solutions/articles/43000431785
Thanks
04/12/2022 01:49 PM
Hi Waman - In addition to the clarification that my colleague gave, if the system is showing that user has access to Role 1 which contains entitlements A, B & C. If the request is completed and the tasks are also provisioned then the system will NOT allow the user to request for entitlements A, B & C again.
In cases where the entitlement was provisioned but let's say someone explicitly removed it via a request, rule or certification or for that matter any other out of band changes where the system realizes that the user does not have access to all or any one of those entitlements, only then it will allow the users to re-request it.
Also, from a best practices standpoint, all the entitlements covered via a role should not be requestable.