Saviynt Forums

Mohit_Sanka · ‎05/26/2023

Hi Team,

We have a use case to provide access to all active users in the Environment(~2Lakh users) to raise requests for the service Accounts present in a endpoint.

Since we can't add all users as owners to the Service account. We have created a user group and made it as owner for all the accounts in the Endpoint This user group is configured as Birth Right access for all users in Saviynt to add users automatically to the user group.

Kindly let us know if we can proceed with approach for providing access to all users for requesting the Access to the Service accounts or do we need to follow any other approach for achieving our use-case.

Thanks & Regard,

Mohit

RakeshMG · ‎05/26/2023

Please try using birth right access for all users by creating technical rule, as and when any users are uploaded or imported into system they will get the required access.

By this you will skip, step of adding users in users group.

And if you want users to raise request, create a custom SAV_ROLE by which users can raise request for thie specified endpoint and assign this SAV_ROLE to all the users by default.

Regards

Rakesh M Goudar

Mohit_Sanka · ‎05/26/2023

Hi Rakesh,

By creating a custom Sav_role, will users be able to request the Service accounts via 'Manage service account' Tile with them being the owner for those accounts?

RakeshMG · ‎05/26/2023

You need to provide access to the specific tile.

Regards

Rakesh M Goudar

Mohit_Sanka · ‎05/26/2023

Hi Rakesh,

Okay, so we just wanted to be sure that adding 2lakh users to a user group and making it a bright right process via Technical rule won't create a Performance issue right.

This user group won't be part of any workflow or Report. So will we have any performance impact by using this method?

RakeshMG · ‎05/26/2023

I would still ask you to try using birth right access for all users by creating technical rule, as and when any users are uploaded or imported into system they will get the required access, rather using user group.

If you still want to use user group, please test in lower with minimal set of users in group initially and increase it based on your requirement for performance testing.

Regards

Rakesh M Goudar

Mohit_Sanka · ‎05/26/2023

Hi Rakesh,

Sorry, I think you understood it wrongly.

Access is being provisioned to a Service Account which is present in Azure AD.

Lets Say:

Service Account: Saviynt-SPN

Entitlement: ABC, ABD

User will raise a request in Saviynt to get ABC access to the Saviynt-SPN in Azure AD.

So to raise this request, user should access the "Manage Service Account" tile in Saviynt and user must be the owner of the service account.

Here we should make all active users as owners for the Service Account 'Saviynt-SPN' to be able to raise the access request for entitlements like 'ABC' or 'ABD' etc.

Since we can't make all the users as Owners for Service Account we are trying to utilize the user group. So the user group will the owner of the Service Account 'Saviynt-SPN' and users who are part of that user group can raise the request for entitlements like 'ABC' & 'ABD'.

So here we wanted to understand can we keep the active users (~2lakh) in a user group and provide the request access? IF yes, then will it create a performance issue. If no, then how can we achieve this use case.

Mohit_Sanka · ‎05/31/2023

Hi Team,

Any suggestions the use case.

Thanks & Regards,

Mohit Srinath Sanka

Saviynt Forums

Access to Raise requests for Service accounts