We have a use case to provide access to all active users in the Environment(~2Lakh users) to raise requests for the service Accounts present in a endpoint.
Since we can't add all users as owners to the Service account. We have created a user group and made it as owner for all the accounts in the Endpoint This user group is configured as Birth Right access for all users in Saviynt to add users automatically to the user group.
Kindly let us know if we can proceed with approach for providing access to all users for requesting the Access to the Service accounts or do we need to follow any other approach for achieving our use-case.
Thanks & Regard,
Please try using birth right access for all users by creating technical rule, as and when any users are uploaded or imported into system they will get the required access.
By this you will skip, step of adding users in users group.
And if you want users to raise request, create a custom SAV_ROLE by which users can raise request for thie specified endpoint and assign this SAV_ROLE to all the users by default.
Okay, so we just wanted to be sure that adding 2lakh users to a user group and making it a bright right process via Technical rule won't create a Performance issue right.
This user group won't be part of any workflow or Report. So will we have any performance impact by using this method?
I would still ask you to try using birth right access for all users by creating technical rule, as and when any users are uploaded or imported into system they will get the required access, rather using user group.
If you still want to use user group, please test in lower with minimal set of users in group initially and increase it based on your requirement for performance testing.
Sorry, I think you understood it wrongly.
Access is being provisioned to a Service Account which is present in Azure AD.
Service Account: Saviynt-SPN
Entitlement: ABC, ABD
User will raise a request in Saviynt to get ABC access to the Saviynt-SPN in Azure AD.
So to raise this request, user should access the "Manage Service Account" tile in Saviynt and user must be the owner of the service account.
Here we should make all active users as owners for the Service Account 'Saviynt-SPN' to be able to raise the access request for entitlements like 'ABC' or 'ABD' etc.
Since we can't make all the users as Owners for Service Account we are trying to utilize the user group. So the user group will the owner of the Service Account 'Saviynt-SPN' and users who are part of that user group can raise the request for entitlements like 'ABC' & 'ABD'.
So here we wanted to understand can we keep the active users (~2lakh) in a user group and provide the request access? IF yes, then will it create a performance issue. If no, then how can we achieve this use case.