We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.
No ratings
Saviynt Employee
Saviynt Employee

Short Description

Best practice to configure custom SAV Roles

Applicable version

EIC versions (2021.x and above)

Detail best practice

Out of box SAV Roles

  • Make use of out of box wherever applicable instead of creating custom SAV roles
  • The ROLE_ADMIN should be assigned to very limited user and should not be used users for their day to day application support tasks. 
    • The ROLE_ADMIN has special access which overrides the any other access designed in other SAV roles. For example ROLE_ADMIN will have access to edit any connection irrespective of SAV role configured at connector level.
  • The ROLE_ADMIN should never be assigned to non-person users (for example service account used to call Saviynt APIs) 
  • Leverage Out of the Box SAV as per the end user function/role

Custom SAV Roles

  • The custom SAV roles must be created with least privilege both in terms of access on home page and access to Saviynt features
  • The "Read Only" mark the SAV role as special access where users assigned to this role will get rad only access to all Saviynt modules except ARS. The read only SAV role overrides access assigned via any other SAV role to the user. 
  • Design your SAV role in an access incremental manner so that multiple SAV roles should not have common/redundant access
  • As part of creating a user then at minimum end user SAV role (least privilege) needs to be assigned for user to access Saviynt application. Without any SAV role, user can not access Saviynt.
  • The API service account SAV role should have any access to login interactively to Saviynt application - it should be limited to only web services.
  • After making any changes to SAV role always click on "Refresh Access Changes" button to flush the old access cache and new changes to take effect.

Key Benefit (Quantitative/qualitative)

Sav Role is meant to provide better governance to Saviynt application objects so all SAV roles should be designed with least privilege.

Reference documentation (doc portal link)


Version history
Last update:
‎06/21/2023 11:47 AM
Updated by: