Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

AD endpoint filter for accounts

Ankyt19
Regular Contributor
Regular Contributor

Hi Team,

I need your help in knowing if we can have multiple endpoint for one single connection where when we do import (recon) based on certain condition like country it should link the user with respective endpoint .

Example:

Endpoint 1  (India)

Endpoint 2 (America)

Endpoint 3 (China)

If in AD Connection I use endpoint filter to differentiate country condition in AD , will it separate the account linking based on that? If yes , Kindly share me syntax on same ? 

@ashisht @Neeharika @IAM

 

 

10 REPLIES 10

rushikeshvartak
All-Star
All-Star

Endpoint filter in AD connection is used to filter entitlements


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak , 

so is there any option to import account based on different endpoint and same connection ? 

avinashchhetri
Saviynt Employee
Saviynt Employee

Ankyt,

I would suggest you to read the AD Connector documentation on Endpoint Filter to get an understanding of it. Document Link : 

https://saviynt.freshdesk.com/a/solutions/articles/43000615764

Here's another post on this forum which has information on Endpoint Filters :

https://forums.saviynt.com/t5/identity-governance/import-groups-with-different-entitlement-types-but...

 

Hope it helps,

 

Regards,

Avinash Chhetri

Regards,
Avinash Chhetri

Hi @avinashchhetri , 

 

I have gone through the links , looks like it is only used for entitlements . Do we have any option we we can differentiate accounts based on multiple endpoint having single AD connection? 

Thanks

ankit

Ankit,

Could you elaborate on what you mean when you say "Do we have any option we we can differentiate accounts based on multiple endpoint having single AD connection? "

Differentiate accounts based on what ? account attributes ? If  Yes, then No.

Endpoint Filter only works on AD Groups and there is no other way to segregate multiple endpoints based on some other account related attributes.

 

 

Regards,
Avinash Chhetri

Ankyt19
Regular Contributor
Regular Contributor

Hi @avinashchhetri , 

I mean to say if I have to link accounts to user profile based on multiple endpoint , what is the possible option ? 

let’s say 3 different endpoint and one connection , and If I have to link the user profile to account based on Endpoint . What option can be checked in connection ? Or any other possibilities. 
I think of is 3 different connection with 3 endpoints each . 

since filter is based on AD Attribute & security system to endpoint to 1: N connection hence 2 possible solutions

  • 1:1:1 connection: security system : Endpoint
  • 1 AD connection : security system : endpoint (all data irrespective of filters will be pulled here)
    • There will be 1 DB connector which will call saviynt DB & split into multiple Endpoint based on Account's Customproperty (e.g. CP1= City)

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak 

Using a "workaround" to have the DB connection create multiple endpoints might work from a reconciliation and perhaps certification standpoint but I do not see it work from a request perspective.

 

 

Regards,
Avinash Chhetri

@avinashchhetri 

I don't see any issue for certification

  1. Reconcile accounts/Entitlements  from AD Endpoint to DB Endpoint as required filters in SQL Query
  2. DB Entitlements should use Entitlement Map concept ; where entitlement map should have Actual AD Entitlement (same name)
  3. So whenever certification is executed it will be ran on DB Endpoint & dependent entitlements task will be created i.e. actual access will be revoked in AD.

Note : This approach is already implemented in one of the client 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Reconciliation and Certification, as stated earlier might work, the real chalenge would be from a request perspective.

If this has been implemented at some customer and working fine, then great.

 

 

Regards,
Avinash Chhetri