Saviynt Forums

asharma · ‎05/21/2024

Hi Team,

I have a scenario where we need to provision two types of admin accounts, admin_1 and admin_2, in Saviynt for Active Directory (AD).

Admin_1 will be a default account for every IT user as birthright, while admin_2 will be provisioned through ARS after three levels of approval.

How can Saviynt determine, during the accountname creation process in the endpoint under the account name rule, that a user is coming from ARS and requires an admin_2 account?

rushikeshvartak · ‎05/21/2024

Both accounts will be visible on ARS request form.
Admin 2 will be created from saviynt ?

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

asharma · ‎05/21/2024

Only admin_2 will be visible in ARS and admin_1 will be assign by efault as a birthright to every user who'll belongs to IT.

NM · ‎05/21/2024

Hi @asharma , IT will only be having admin1 account and they can't have admin2, you can create account name rule on the basis of user property

If user.title(IT) then admin1 else admin2

asharma · ‎05/21/2024

It will be having admin_1 and they can also request admin_2 however if there is no admin_1 then user can request admin_2.

Question is how saviynt will know if they need to generate accountname for admin_2 or admin_1 as both will be generated by same endpoint.

Saathvik · ‎05/21/2024

@asharma : On what basis you will determine user needs second admin account? Any differentiation like Business Unit, Title or entitlement? Because based on your requirement you will disable this setting Disable New Account Request if Account Already Exists. If so anyone when go for new account request if account already exists right? How you are planning to control that?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

asharma · ‎05/21/2024

There is no as such differentiation. It is like user will request for admin_2 and that will go for 3 level of approvals and once it is approved then that admin_2 account will get created and associate to that user.

rushikeshvartak · ‎05/22/2024

Account name rule applicable to first account only

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

RanjithSaiM · ‎05/22/2024

Does anyone know how to get the source of the request in account name rule, probably then we can differentiate the accountname rule. This would be the best solution.

The other way to determine would be by applying the birthright rule filter in the accountname rule. If the birthright condition matches generate admin1 else generate admin2. On the endpoint you will need to allow end user to request for more than 1 account.

asharma · ‎05/22/2024

Use case - user will request for admin AD account. In that same admin AD endpoint we want to generate 2 type of adminaccount that are admin1 and admin2. Now, how we can design where we can check in ARS that user has requested for admin2 and how endpoint will create the accountname using accountnamerule for that admin2 type account.

rushikeshvartak · ‎05/22/2024

Account name can be applied only to first account.

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Saviynt Forums

accountnamerule for 2 type of accounts