Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Access Request - How to Assign Roles to Users Across Multiple Organizations

adriencosson
Regular Contributor III
Regular Contributor III

We need to implement a target application to manage users access with the below model : 

  • User : The identity's target application account
  • Role : The user's fine grained access (entitlement type : Role)
  • Organization : The scope to be applied for each User / Role association. (entitlement type : Organization)

Supposing I have 10 roles (named respectively ROLE#X with 1<X<10) and 5 organizations (named respectively ORG#Y with 1<Y<5) existing in the application, I would like to let end users to request access to these roles and assign them to the appropriate Organisation.

A common example would be : User A has access to : 

  1. Role#1 in ORG#1, ORG#2
  2. Role#2 in ORG#2, ORG#3 

How could I achieve this in Saviynt, using dynamic attributes and entitlement types, supposing that the solution to duplicate all roles per organization would be excluded ?

Regards,
Adrien COSSON
6 REPLIES 6

timchengappa
Saviynt Employee
Saviynt Employee

Hi @adriencosson 

Considering 'Role' & 'Organization' are going to be entitlement types in Saviynt, and considering you want to add both 'Role' & 'Organization' to a user, you can try the below 2 options...

Option-1: Application Roles
Create application roles in Saviynt and within these application roles, you can add the required entitlements of type 'Role' & 'Organization' in it.

E.g.
Application Role 'ABC'
Entitlements in role 'ABC': Role#1, ORG#1, ORG#2

The end user will be requesting for application role 'ABC' and upon request approval, tasks will be created for Role#1, ORG#1 & ORG#2

Option-2: Entitlementmap(Create Dependent Tasks)
In this approach, you will make Role#1 as the parent entitlement and ORG#1, and ORG#2 as the child entitlements for Role#1.

The end user will be requesting for entitlement 'Role#1' and upon request approval, a task will be created for parent entitlement Role#1 along with dependent tasks for ORG#1 and ORG#2

Screen Shot 2023-05-12 at 4.15.03 PM.png

Screen Shot 2023-05-12 at 4.18.54 PM.pngThank you 

adriencosson
Regular Contributor III
Regular Contributor III

Hello @timchengappa,

Thanks for your feedback and I understand the provided elements.

However, this do not seem to answer to the requirement to assign multiple times the same entitlement to multiple organizations and vice versa.

Would you be able to help on guiding me to achieve this requirement ?

Regards,
Adrien COSSON

timchengappa
Saviynt Employee
Saviynt Employee

Hi @adriencosson 

Not sure I fully understand the req. If the user already has access to an entitlement, can you help me understand the need to assign the same entitlement to the user again in the target system?

Also, assuming you are going with Option-1: Application Roles from my response earlier, if the newly requested role has entitlement that is already assigned to the beneficiary's account, Saviynt will simply close the respective 'task' stating the access is already assigned to the user's account and no further actions are required. Saviynt will not try to add this entitlement to the account in the target system.

The same applies to Option-2: Entitlementmap(Create Dependent Tasks) as well when the tasks are created for dependent entitlements and the dependent entitlements are already assigned to the user's account. 

adriencosson
Regular Contributor III
Regular Contributor III

Hi @timchengappa,

The target application has been designed in such a way that you can assign the same "Role" to a user to multiple "Organization" objects, because he can have certain responsibilities on Organization 1 and other responsibilities on Organization 2.

I attached a sample Postman call below. The API will associate the Role "Data Manager" to the user inside the Organization "Factory".

Besides, you possibly can have the same role attached to "Factory 2", and have a second Role "Coordinator" on Factory 2 as well.

adriencosson_0-1684486335939.png

As per screenshot provided : RoleId is the entitlement value of a Role, and OrganizationId would be the Organization entitlement value on which Role is given to the user.

Hope this clarifies the requirement.

Thanks for your help.

Regards,
Adrien COSSON

nimitdave
Saviynt Employee
Saviynt Employee

@adriencosson , pls can you share how data is stored in the target app side also to see the options.

As of now only feasible option at saviynt end is to have flattened entitlement as OrgName-RoleName to be used in recon and provisioning call.

 

adriencosson
Regular Contributor III
Regular Contributor III

Hi @nimitdave,

Data is stored as following on target application : They have 3 tables : 

  • User
  • Role
  • Organisation

When assigning a role to a user within a specific organisation, it creates an entry in a UserRole table which contains the Role, User and Organization assigned, with a dedicated internal identifier.

Therefore, it is a N-to-N relationship.

Please let me know if you need any additional information.

Regards,
Adrien COSSON