Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/21/2024 09:34 AM
Hi Team,
I have a scenario where we need to provision two types of admin accounts, admin_1 and admin_2, in Saviynt for Active Directory (AD).
Admin_1 will be a default account for every IT user as birthright, while admin_2 will be provisioned through ARS after three levels of approval.
How can Saviynt determine, during the accountname creation process in the endpoint under the account name rule, that a user is coming from ARS and requires an admin_2 account?
05/21/2024 09:44 AM
05/21/2024 10:52 AM
Only admin_2 will be visible in ARS and admin_1 will be assign by efault as a birthright to every user who'll belongs to IT.
05/21/2024 09:50 AM
Hi @asharma , IT will only be having admin1 account and they can't have admin2, you can create account name rule on the basis of user property
If user.title(IT) then admin1 else admin2
05/21/2024 10:54 AM
It will be having admin_1 and they can also request admin_2 however if there is no admin_1 then user can request admin_2.
Question is how saviynt will know if they need to generate accountname for admin_2 or admin_1 as both will be generated by same endpoint.
05/21/2024 10:28 AM - edited 05/21/2024 10:28 AM
@asharma : On what basis you will determine user needs second admin account? Any differentiation like Business Unit, Title or entitlement? Because based on your requirement you will disable this setting Disable New Account Request if Account Already Exists. If so anyone when go for new account request if account already exists right? How you are planning to control that?
05/21/2024 10:55 AM
There is no as such differentiation. It is like user will request for admin_2 and that will go for 3 level of approvals and once it is approved then that admin_2 account will get created and associate to that user.
05/22/2024 03:20 PM
Account name rule applicable to first account only
05/22/2024 04:59 AM
Does anyone know how to get the source of the request in account name rule, probably then we can differentiate the accountname rule. This would be the best solution.
The other way to determine would be by applying the birthright rule filter in the accountname rule. If the birthright condition matches generate admin1 else generate admin2. On the endpoint you will need to allow end user to request for more than 1 account.
05/22/2024 11:24 AM
Use case - user will request for admin AD account. In that same admin AD endpoint we want to generate 2 type of adminaccount that are admin1 and admin2. Now, how we can design where we can check in ARS that user has requested for admin2 and how endpoint will create the accountname using accountnamerule for that admin2 type account.
05/22/2024 03:19 PM
Account name can be applied only to first account.