We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

ARS - User should have access to only 1 entitlement.

Suyash_Badnore1
New Contributor III
New Contributor III

Hello Team,

Hope you're doing good!!

There's a requirement, suppose there're multiple entitlements associated with an application and a user is already having 1 of the entitlements then they should not be able to request for any other entitlement unless the existing one is removed.

We've tried creating SOD, but the thing with SOD is user can see it's violating while placing the request for another access but still is able to submit the request.

We've also tried SOD > 0 in Workflow it's failing.

And if we use a dropdown menu in ARS then user cant remove previous entitlements.

Could you please suggest something on this to achieve what is expected? 

 

Regards,

Suyash

9 REPLIES 9

sai_sp
Saviynt Employee
Saviynt Employee

@Suyash_Badnore1 What is the business usecase for having a shell account?

If you want only one entitlement to be assigned at a time, you can use 'Single Select Dropdown' in entitlement types config. But with this config, the user needs to have 1 entitlement at any given time. You cannot remove the exisitng entitlement and have the account without any entitlements here. Please elaborate on the usecase and we can give suggestions.

One way to deal with this is a multiple steps process

Add: Drive it through ARS with single select dropdown

REMOVE: Create a user update form for any user attribute update (eg: CP30). Create a user update rule to remove the access if the CP30 value is updated.

Hi @sai_sp ,

 

Our usecase is, out of multiple entitlements present only one can be accessible, if a user is already having one and tries to submit entitlement request for another then either the request should get rejected or user should get a popup/notification saying you cannot request for other access unless you remove the exisiting one.

 

Please suggest something on this..

 

Regards,

Suyash

Suyash_Badnore1
New Contributor III
New Contributor III

Hi Team,

Can anyone please suggest something on this, as this's critical one?

 

Regards,

Suyash

rushikeshvartak
All-Star
All-Star

Share Workflow & SOD matrix 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak ,

PFA the snapshots of Workflow & SOD matrix and let me know if I'm missing anything.

 

Regards,

Suyash

 

dgandhi
All-Star
All-Star

Another way to achieve this would be that for the entitlement type, select the request-option as Drop Down.

With this user will be presented with drop down option at time of the request.

If user already has 1 entitlement from that type and if he tries to raise new entitlement, then Saviynt will first remove existing entitlement which is present and assign the new one which user has requested

This will ensure that at any given time, user will have only 1 entitlement from that entitlement type.

Below configuration at entitlement type level:

dgandhi_0-1692887240471.png

 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

Hi @dgandhi ,

 

Thanks for the reply... I've tried that, we can select only one role in dropdown but for removed role it's not creating any remove access task and after the recon run it's showing both the roles under user account. Please suggest something if I'm missing anything here?

 

Regards,

Suyash 

This should not happen, the purpose of dropdown is to have only 1 entitlement assigned to the account. 

Can you check below post once?

https://docs.saviyntcloud.com/bundle/KBAs/page/Content/Remove-Access-task-is-not-created-when-the-en...

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter02-Identity-Repository/Viewi...

 

Create Task Action

Select this parameter to display the entitlements in the Selected Entitlements table in Access Requests .

Use the following options to define the behavior of task creation when entitlement values are modified:

  • Remove task for existing entitlements: Applicable for single-valued entitlement types. Select this option to create the remove access task for the existing entitlement value. For entitlements requested using a drop down (single) format, if an existing value is modified and this option is selected, then a separate remove access task is created for the existing value. Also, the details of the existing entitlement are displayed on the final step of request submission.
    When this option is not enabled, no separate remove access task is created for the existing entitlement. However, on completion of the add access task created for adding the new entitlement, the existing entitlement is automatically removed.

  • Enable Rollback: Applicable for single-valued entitlement types. When this option is selected, add access tasks are created for the original entitlement value that belongs to a drop down (single) type of entitlements when the entitlement value is removed.

  • No Action :Applicable for single-valued entitlement types. No explicit remove access tasks are created for the existing entitlements. If an existing entitlement value is modified, then only an add access task is created for adding the new value. No separate remove access tasks are created for the existing entitlement value. However, on provisioning the add access task for the new entitlement, the existing entitlement is removed for the user's account.

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

Hi @dgandhi ,

 

Thank You for the suggestion here, it worked with Radio without adding Remove task for existing entitlements. We're planning to use the same.

 

Regards,

Suyash