We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Birthright Access and Exchange Provisioning for Service Accounts

RahulMulik
New Contributor II
New Contributor II

Hi Experts,

We have a requirement where we are creating a Service account via Manage Service Account Tile and we want to assign birthright groups and also create a service account exchange mailbox.
How this can be achieved? as we can't make use of Update Rules or Technical rules since those are related to users.

Thanks,
Rahul Mulik

11 REPLIES 11

rushikeshvartak
All-Star
All-Star
  • If user is having some default entitlement selected then you can use entitlement map
  • you can use actionable analytics report
  • request rule can be used

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushikesh,

Since these are Service Accounts directly created from Manage Service Account Tile there will be no user associated with them and entitlements are not constant but are dynamic based on the user's company, grade, and location.

request rules don't seem to be feasible as well.

How Actionable analytics can calculate and form the groups required for them? as there are nearly 80+ companies, 12 grades. Also, how can we trigger the exchange create account task?

Thanks,
Rahul Mulik

 

You can create actionable report. If any accounts created in last 24 hours then birthright groups & for mailbox creation you need to create request rule based on dynamic attribute 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

RahulMulik
New Contributor II
New Contributor II

Hi Rushikesh,

I tried to create an actionable analytics report where we will assign the groups based on date. But when I try to save the analytics it says 

Resultset Must Have column entvaluekey,acctKey,accName,userKey for allowed actions Provision Access

Since it is a service account, it will not have any associated users. How can we proceed without it?

And can you elaborate on how we can use request rules for mailbox account creation?

Thanks,
Rahul Mulik

Like you mentioned , the accounts are service accounts and not tied to any user, you cannot grant birthright access automatically because that is not how Saviynt works. 

Instead , when requesting for the service account via the "manage service account" tile , try to show the entitlements as requestable and you can limit the entitlements to be shown via the configuration at the endpoint --> entitlement type level --> "Config for Available Entitlement in Service Account" by making few custom properties align to your dynamic criteria. 

you could put a disclaimer using a DA asking the requestor to select all the entitlement available failing which the access will be limited. 

For provisioning the service account to exchange , there is no OOTB feature currently available. You may want to handle it at the target end. 

KA

Share current version of query


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushikesh,

That query is resolved now. But can see it's not creating any task.

Thanks,
Rahul Mulik

Share query you need to schedule report 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushikesh,

This is the query I am using.

select null as userKey,a.NAME as accName,a.ACCOUNTKEY as acctKey,ev.entitlement_valuekey as entvaluekey,'Provision Access' as Default_Action_For_Analytics from accounts a, entitlement_values ev, entitlement_types et, endpoints e where e.endpointkey = 11 and a.status = '1' and datediff(curdate(),a.created_on) = 3 and ev.ENTITLEMENT_VALUE = 'CN=Windows7,OU=Groups,OU=TestSBU,DC=testad,DC=corp,DC=pri' and ev.ENTITLEMENTTYPEKEY = et.ENTITLEMENTTYPEKEY and et.ENDPOINTKEY = 11

Here I will also need to check if this entitlement is already assigned to the account then no need to create tasks for such accounts.

Thanks,
Rahul Mulik

Change userkey to 1 and try


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thanks, Rushikesh,
With userkey as 1, it worked.

Thanks,
Rahul Mulik