Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AzureAD custom PIM role

NM
Regular Contributor III
Regular Contributor III

Hi Team,

We have a use case and we want to import custom PIM role into saviynt with built in roles, using graph endpoint we can pull both custom and built in roles, but we don't see any graph endpoint to which will give us mapping between custom PIM role and account.

If anyone had a same requirement what endpoint did you use for mapping perspective?

Thanks!

6 REPLIES 6

rushikeshvartak
All-Star
All-Star

Here's a general overview of the endpoints you can use:

  • Retrieve Custom PIM Roles: /beta/privilegedRoles endpoint with appropriate filters to distinguish custom roles.
  • Retrieve Built-in Roles: /beta/roles endpoint with appropriate filters to distinguish built-in roles.
  • Retrieve Role Assignments: /beta/roleassignments endpoint to get the list of role assignments.

Ensure that your application has the necessary permissions (such as Directory.Read.All and PrivilegedAccess.Read.All) to query these endpoints.

By combining these endpoints and processing the retrieved data, you can effectively map custom PIM roles to accounts in Saviynt.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM
Regular Contributor III
Regular Contributor III

Hi @rushikeshvartak , Thank you let me explore these endpoints... Could you also help us with the endpoint which we can use to remove custom and built in PIM role from "Active Assignment" tab??

I see a directory role endpoint which fullfill the requirement for directory role/built in roles but not for custom ones.

 

Here's a simplified example of how you might interact with the Azure AD PIM API using a hypothetical RESTful interface:

 

GET /role-assignments

This endpoint retrieves a list of all role assignments.

 

DELETE /role-assignments/{assignment-id}

This endpoint removes the role assignment identified by {assignment-id}.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM
Regular Contributor III
Regular Contributor III

Hi @rushikeshvartak and here in the delete endpoint "assignment ID" is the member ID that we have to pass right?

 

In the context you've provided, the {assignment-id} in the DELETE /role-assignments/{assignment-id} endpoint refers to the unique identifier of the role assignment that you want to remove. This identifier typically corresponds to the ID assigned to the role assignment within the system.

When you make a DELETE request to this endpoint, you pass the specific assignment-id of the role assignment you want to delete in the URL path. For example:

 

 
DELETE /role-assignments/12345678

Here, 12345678 would be replaced with the actual ID of the role assignment you want to delete. This tells the server which role assignment you're targeting for deletion. Make sure to have the necessary permissions to delete role assignments to avoid any authorization issues.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM
Regular Contributor III
Regular Contributor III

Hi @rushikeshvartak , we want to manage eligible and active assignment which doesn't seem to be possible with the endpoint exposed.

Thanks for your help!!