Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Entitlements in Role are not checked while raising request

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on January 23 2020 at 15:28 UTC

Below is my scenario:

I have a user who as an enterprise role assigned say Role 1 which contains entitlements A,B & C on Endpoint EP1.

I raised a request for this user through ARS.

It shows me that the use has Enterprise Role Role 1 and allows me to remove it.

But at the same time it also allows me to request for entitlements A,B & C without realizing that those entitlements are already given to the user as part of the role.

Is this expected behavior?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
4 REPLIES 4

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 12 2020 at 05:53 UTC

Yes this is expected behavior.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 12 2020 at 13:02 UTC

so I clearly disagree with what the product does. If a user already has the entitlement (even indirectly via an Enterprise Role), ARS should NOT let him request it again

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 18 2020 at 07:31 UTC

Here is one way you can address the issues.


If you have defined enterprise roles to have a role at an endpoint level, then you can go with creating an application role.


Application roles are similar to Enterprise roles with the difference only being specific to an endpoint and are requestable through Request Access feature and not through the 'Request Enterprise Roles'


This would help as the user will only be able to add or remove a role and not the particular entitlements.


You can find details on how to create Application Roles here : https://saviynt.freshdesk.com/a/solutions/articles/43000431785


Thanks

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 20 2020 at 14:28 UTC

Hi Waman - In addition to the clarification that my colleague gave, if the system is showing that user has access to Role 1 which contains entitlements A, B & C. If the request is completed and the tasks are also provisioned then the system will NOT allow the user to request for entitlements A, B & C again.


In cases where the entitlement was provisioned but let's say someone explicitly removed it via a request, rule or certification or for that matter any other out of band changes where the system realizes that the user does not have access to all or any one of those entitlements, only then it will allow the users to re-request it.


Also, from a best practices standpoint, all the entitlements covered via a role should not be requestable.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.