Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Using Active Directory Groups to grant Access in other Endpoints

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 1 2020 at 19:56 UTC

Is it possible to use an entitlement from one source as the trigger for granting access in another source?


Example:


User is Member of group "Example" in Active Directory. The User needs to then be made a member of group "Example" in Servicenow.


Is something like this possible? Is it possible to have this access in the second system removed if the user is no longer in the AD group as well?


Any advice on how to set something like this up?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
3 REPLIES 3

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 5 2020 at 10:35 UTC

Hi Adam,


Greetings!!


This is pretty generic use case of endpoint_filter in AD connector.

Endpoint_filter will enable you to create an endpoint based on filtered set of groups and link associated members as an account in that endpoint.

For an example:

Let's say, I am having a security system, endpoint and connection to manage AD users and groups.

But there is a single or a set of group which drives access to my application (let's say Service now).

In this case, you could define those groups in an endpoint filter and drive creation of a separate endpoint for your additional Application).

In this newly created endpoint, access is completely dependent on access in that group(s). Once, access is removed you will be marked as an inactive/Suspended Account.

For more details, Please refer active directory documentation on freshdesk.


Thanks and Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 8 2020 at 12:48 UTC

This isn't really what I was asking about. This seems to be for allowing users filtered from AD to be able to access an endpoint, not be granted specific access in the endpoint.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 8 2020 at 13:05 UTC

Hi Adam,


Greetings!!


You could modify the Access in that endpoint as well. In case, you have multiple groups inside that endpoint you can add and remove access as per requirement. In case of single group, you could request for group removal.


For first time existence of that endpoint, you will have to run an Access import and make it available in SSM. Post that, you could follow Create/Update/Add and remove Access operations on your desired accounts.


Thanks & Regards,

Anand kumar Jha


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.