Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Assign Sav role based on particular endpoint

Diwakar
Regular Contributor
Regular Contributor

‎02/22/2024 06:25 AM

We have a requirement to assign a particular sav role automatically every time as soon as user is provisioned with a particular endpoint. Can anyone please help to achieve my use case?

Currently in our versionv23.12 version I don't savrole table? Is it removed from this version?

Labels:
0 Kudos
28 REPLIES 28

CR
Regular Contributor III
Regular Contributor III

‎02/22/2024 07:12 AM - edited ‎02/22/2024 07:13 AM

You can add endpoint level sav entitlement in below tab ,it  will create default when endpoint request created

ref : https://forums.saviynt.com/t5/identity-governance/assigning-default-roles-for-request-based-provisio...

 

CR_0-1708614727249.png

 


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

AmitM
Valued Contributor
Valued Contributor

‎02/22/2024 07:20 AM

Hi @Diwakar , this would end up the similar answer as your earlier post. You need to configure Sav4Sav connector/security system.

And use setting below on other endpoint and add sav role entitlement here. Every time a new account is created for this endpoint , Saviynt will also create a task for sav role addition.

AmitM_0-1708615177371.png

Thanks, Amit

If this answers your query, Please ACCEPT SOLUTION and give KUDOS.

0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/22/2024 07:29 AM

@CR @AmitM  Thanks, for the response then again, I am stuck request to provide some info how to convert Role/user group to an entitlement through SAV4SAV. We already have SAV4SAV created as DATABASE so where to put this to convert role/user group to entitlement in Saviynt Endpoint.

Diwakar_0-1708615729643.png

 

I tried checking everywhere in forum but unable to find the complete process for the same. Any sample info would be helpful in achieving my use case.

Thanks beforehand.

Diwakar.

0 Kudos

AmitM
Valued Contributor
Valued Contributor
In response to Diwakar

‎02/22/2024 07:44 AM

AmitM_0-1708616541557.png

if you click on connector and share above config. This is what sets up these objects as entitlement.

And hope you have import jobs scheduled for sav 4 sav

Thanks,

Amit

0 Kudos

Diwakar
Regular Contributor
Regular Contributor
In response to AmitM

‎02/22/2024 08:04 AM - edited ‎02/22/2024 08:05 AM

Hi @AmitM ,

Please find the attached config as requested, please let me how to modify to our use case without impacting any current setup. Really appreciate your help on this.

And hope you have import jobs scheduled for sav 4 sav---u mean this job??

Diwakar_0-1708617863009.png

 

Thanks,

Diwakar.

Preview file
2 KB
0 Kudos

AmitM
Valued Contributor
Valued Contributor
In response to Diwakar

‎02/22/2024 08:20 AM

Based on your config Savroles are imported as entitlement. Same can be done for user groups.

zBut for this forum you already have sav roles as entitlement. SO follow my earlier post and add those as Entitlement with new account in your other endpoint.

On job - the one you share screen shot is user import. There must an entitlement import also , if not that is what you need to create. Go to Saviynt 4 Saviynt endpoint and see if you can find ents there. 

0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/22/2024 08:43 AM

@AmitM Thanks for your response, I checked Saviynt4Saviynt endpoint but entitlement in that endpoint is empty.

Diwakar_0-1708620117148.png

You mean, we need to create separate job for entitlement import under below category to import SAV roles as entitlements?

Diwakar_1-1708620195009.png

Thanks,

Diwakar.

0 Kudos

CR
Regular Contributor III
Regular Contributor III
In response to Diwakar

‎02/22/2024 08:58 AM

@Diwakar  do you have sav roles list?all roles have minimum 2 users if not please add it run access import job


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

AmitM
Valued Contributor
Valued Contributor
In response to Diwakar

‎02/22/2024 09:21 AM

correct, create the job if there is not one already and run.

 

0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/22/2024 10:11 AM - edited ‎02/22/2024 10:58 AM

@AmitM @CR I have created the job and ran, manage to import all sav roles as entitlement to the Saviynt endpoint, however when we map the same to existing ADM endpoint like this

Diwakar_0-1708628228984.png

and then tested to one account then we can now see Saviynt security system task has triggered as new account?

Diwakar_1-1708628287919.png

Is this the expected outcome?If yes then we don't want to get this account provisioned separately, we only want to add the one of the SAV role which we linked as entitlement in ADM endpoint. Please suggest!

0 Kudos

Diwakar
Regular Contributor
Regular Contributor
In response to Diwakar

‎02/23/2024 05:59 AM

@AmitM Any further suggestion on this please?

Please be informed we are not assigning Saviynt endpoint as default to all users. So how converting SAV role to entitlement from SAV4SAV connector will work.

0 Kudos

rushikeshvartak
All-Star
All-Star

‎02/22/2024 07:51 PM

  • Option 1 : Create Enterprise role and add entitlement from application + Entitlement from Saviynt (Sav role)
  • Option 2 : Use Entitlement Map , under application Entitlement map saviynt (sav role) entitlement
  • Option 3 : Use actionable analytics
  • Option 4 : Use Request Rules
  • Option 5 : Use enhanced Query to insert into savroles_users table

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/23/2024 12:13 AM

@rushikeshvartak  Want to go with option 5, Can you please help to provide enhanced query to insert into savroles_users table. 

Our requirement is to insert those users into one of the SAV role where user is provisioned with ADM endpoint. Not able to find suitable query for this.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Diwakar

‎02/25/2024 10:55 AM

select 100 as user_savroles__userkey,1 as user_savroles__rolekey as from user_savroles 

Join with accounts, user_accounts table to do proper insert.

First try above query if it works 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/25/2024 11:52 PM

@rushikeshvartak I tried but it gave below error:

Diwakar_0-1708933852079.png

Request your help to please provide complete insert query that can be used in enhance query execution job with below requirement:

*Insert those users into one of the SAV role where user is provisioned with ADM endpoint.*

0 Kudos

CR
Regular Contributor III
Regular Contributor III
In response to Diwakar

‎02/26/2024 12:06 AM

@Diwakar @rushikeshvartak  Below tables restricted in Enhanced query update reason due to inherent constraint

user_accounts

user_savroles

@Diwakar  you need to inser query as per your requirement and include in s4s(cloud) connection Sample :INSERT INTO USER_SAVROLES(USERKEY,ROLEKEY) VALUES(${user.id},(select rolekey from savroles where rolename = ( select entitlement_value from entitlement_values where entitlement_valuekey = ${task.entitlement_valueKey.id})))


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor
In response to CR

‎02/27/2024 02:40 AM

@CR I believe insert operation is moved to enhanced query job in latest saviynt version, can you please provide query based on the latest job? Below is the sample given in job.

Diwakar_0-1709030391966.png

 

0 Kudos

CR
Regular Contributor III
Regular Contributor III
In response to Diwakar

‎02/27/2024 03:14 AM

we can inset but above table we can't insert it is restricted.


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor
In response to Diwakar

‎02/27/2024 03:54 AM

@CR then May I please request to provide enhance query that can be worked in current version to insert users into one of the sav roles? This is all I have been requesting, to fulfill my requirement.  

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Diwakar

‎02/27/2024 06:39 AM

@Diwakar insert is not supported to user_savroles table using enhanced Query


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎02/27/2024 07:56 AM

@rushikeshvartak Then, May I please know how you suggested below option 5 through enhance query, Why I am more focused in this approach as its simpler to achieve without making changes to existing configuration.

Diwakar_0-1709049343734.png

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Diwakar

‎02/27/2024 08:03 PM

I have overlooked documentation  😑https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter10-Job-Control-Panel/Job-Cat...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Diwakar

‎02/26/2024 07:49 PM

Which connector is used by ADM endpoint ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/27/2024 02:35 AM

@rushikeshvartak Its same AD connector which is used for ADM endpoint. Please provide the insert query for SAV roles with endpoint condition.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Diwakar

‎02/27/2024 06:37 AM

Use Entitlement Map concept . Attach saviynt endpoint entitlement as mapped entitlement under ad entitlement


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/28/2024 07:55 AM

@rushikeshvartak We did the mapping to the AD entitlement however add task for SAV role is only triggering for AD group managed by Saviynt but when we tested with AD group which is not managed by Saviynt then task is not triggering, we wanted to trigger the same for AD group not managed by Saviynt.

Let me know if it's possible. If not, please suggest the alternative approach?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Diwakar

‎02/28/2024 07:57 PM

What is AD Managed vs Saviynt managed group ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Diwakar
Regular Contributor
Regular Contributor

‎02/28/2024 10:33 PM

@rushikeshvartak That means, we have some AD groups where provisioning is done by Saviynt and we have other AD groups where we are just importing through AD account Import job, access not provisioned by Saviynt.

So SAV role is only triggering for AD group managed which is provisioned by Saviynt it's not triggering for those groups where access is not provisioned by Saviynt. Hope that clarifies.

So please suggest how to auto trigger the SAV role for AD group where access is not provisioned by Saviynt.

Thanks,

Diwakar.

0 Kudos
Copyright © 2024 Khoros, LLC