Saviynt Forums

Abhay_Yadav · ‎11/13/2023

Hi Team,

We have a requirement to Create 2 SAV Roles.

1st SAV role will be a 'Admin Readonly' role that will allow Read only access to all the modules of saviynt.

2nd Sav role will be used to provide Admins some features using which they can perform day to day activities as per below :

2.1 Admin should be able to edit the Jobs.

2.2 Admin should be able to run and edit reports from Analytics and export reports from different modules like certification summary, ruleset and SOD violation exports etc.

2.3 Admin should be able to approve all requests in Saviynt.

2.4 Admin should be able to Mitigate, Remididate or take action on All SOD violations in Saviynt.

2.5 Admin should be able to view roles, users and connections, endpoint, security system, certifications etc. But should not be able to edit anything.

Can you please help us in achieving this. Because as soon as readonly role is assigned to the user they are not able to do anything even if those features are not part of the read only role.

Regards,

Abhay Yadav

Dhruv_S · ‎11/14/2023

Hi @Abhay_Yadav

For 1st SAV Role, you can copy an SAV_ROLE_ADMIN and select Read only from the SAV role details. Please let us know if you are facing any issues with this role.

For the 2nd SAV Role, you can create a new Custom SAV Role and add the Features you need. Please don't select Read-only here since you want admin features for some modules.

2.1 Admin should be able to edit the Jobs.

Feature access required: Admin:Job_Control_Panel

2.2 Admin should be able to run and edit reports from Analytics and export reports from different modules like certification summary, ruleset and SOD violation exports etc.
Feature access required: Admin:
Analytics_History_Details
Analytics_History_Details_V1
Runtime_Analytics_History_Details
Runtime_Analytics_V1_History_Details
Show_Analytics_Run_History

2.3 Admin should be able to approve all requests in Saviynt.
Feature access required: Pending_Approvals, home.pendingActions

2.4 Admin should be able to Mitigate, Remididate or take action on All SOD violations in Saviynt.
Feature access required: SOD_Workbench, SOD_Dashboard

2.5 Admin should be able to view roles, users and connections, endpoint, security system, certifications etc. But should not be able to edit anything.

Feature access required:

View_Existing_Access (READ ONLY)

(ADMIN LEVEL)
Admin:Security_Systems
Admin:Connections
Admin:Endpoint_Management
Admin:Roles
Admin:Users
Admin:Security_Systems

Some other feature access required: Home, Admin:Landing_Page

Regards,
Dhruv Sharma

Abhay_Yadav · ‎11/15/2023

Hi @Dhruv_S ,

The issue is on 23.7 version as soon as we are assigning user a Readonly role no other role is able to provide the user edit access. This is happening even if user have readonly role with home feature only.

Dhruv_S · ‎11/15/2023

Hi @Abhay_Yadav

This is expected behavior only and it works the same way in latest version as well.

It makes no sense to provide 1st SAV role and 2nd SAV role to same user at same time since 1st SAV Role is complete read-only role and 2nd Role has edit access.

if you want to provide complete Read-only access to the user, you need to provide Read only SAV role (1st SAV Role here).

If you want to provide edit access to few modules and read only access to few other modules, then you need to provide the 2nd SAV role only which has limited feature access, but this Role cannot be Read only. I have mentioned the same in the in the previous response as well.

Regards,

Dhruv Sharma

Saviynt Forums

ADMIN SAV ROLE READONLY