Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 12:55 PM
Hi,
We have a requirement for O365-Dynamic group license assignment for which we are adding the Users at a on-premise AD group which would then be synced to Azure AD for dynamic license assignment. This process would be part of Birth right access. We would have 2 different groups, one for E3 license and another for E1.
Below use cases where we need help,
Solved! Go to Solution.
04/12/2022 01:53 PM
fully automated difficult. could add a control that is checked periodically. this is typical solution's unless it can be automated in the end point itself. Some endpoints self count how many are logged with said license.
04/12/2022 01:53 PM
Hi Chandan,
Greetings!!
We do not have any out of box/configurable feature to count members of an active directory group (security/distribution) and validate logic on them accordingly during Add Access/Remove Access.
Probable workarounds:(Optional Thoughts: Please ignore this, if you have a better option here.)
1) You could have a powershell script to count the members at AD for each group and have it stored in some attribute of a group.
2) you could import that count in SSM and logically validate your conditions,to show /hide the groups to be requested from ARS.
Thanks & Regards,
Anand Kumar Jha
04/12/2022 01:53 PM
Thanks David and Anand.
Let me try out your suggestions. Will comeback with updates.
Rg,
Chandan
04/12/2022 01:53 PM
Hi Anand,
Lets assume that we have got the count and we have stored in one attribute and have imported into SSM.
Now how do we apply a condition to check the count the count in SSM? Any steps?
04/12/2022 01:53 PM
We have 2 use cases where this needs to be address.
04/12/2022 01:53 PM
Hey Chandra,
I have added your queries regarding ModifyuserdataJSON in below thread:
https://saviynt.freshdesk.com/a/forums/topics/43000524015
Please follow the same for further updates
04/12/2022 01:53 PM
HI Chandra,
Regarding you last question i.e.
Lets assume that we have got the count and we have stored in one attribute and have imported into SSM.
Now how do we apply a condition to check the count the count in SSM? Any steps?
This could be handled from ARS based on a configuration at EntitlementType level. That is,
Config for Requestable Entitlement in ARS
If you store count of members in your entitlement_values table then you could restrict the request via ARS once count is greater than a defined threshold value.
Coming to control this via BirthRight Roles, That is not possible at present.
Thanks & Regards,
Anand Kumar Jha
04/12/2022 01:53 PM
Thanks Anand.
Where can I find Config for Requestable Entitlement in ARS?
Also any reference how to use it.
04/12/2022 01:53 PM
Hey Chandan,
You could find this Config at entitlementType Page.
Select your Endpoint > Go to Entitlement Type Tab > On EntitlementType Page (Select View detail symbol in front of your entitlement type) > Config for Requestable Entitlement in ARS
You could also refer entitlement type section details in Admin module Guide.
Thanks & Regards,
Anand Kumar Jha
04/12/2022 01:53 PM
Thank you Anand. Appreciate your help.
Will refer the same and let you know in case of any additional help required.
04/12/2022 01:53 PM
Hi Anand,
Using above Config for Requestable Entitlement in ARS I was not able to come up with a logic.
The requirement is, in AD we have more than 1 Security Groups and among these there are few of them which should be displayed under ARS if and only if their member count is less than certain digit. For rest of the Groups there is no such logic and they should be displayed as is.
For Eg, Group_1 should be displayed under ARS only if it's member count is less than 10. The moment the count touches 10 then it should not be available for any ARS request.
Please let me know any way to achieve this in Saviynt.