Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Can we limit which entitlements user can add to a role?

Sampo
Regular Contributor
Regular Contributor

We have a use case where users should be able to manage roles they own and add or remove entitlements from the role. But there should be a limitation which entitlements they can add to the role. 

Currently when user starts managing a role and clicks the 'Add Entitlement' button, EIC shows all entitlements in the system. So users can add an entitlement that they should not be able to add to the role. Is it possible to filter this list based on user's SAVRole or some other criteria? Filtering could be based on endpoint, entitlement type or custom property of the entitlement.

best regards,

Sampo

17 REPLIES 17

rushikeshvartak
All-Star
All-Star
  • No, Currently its not supported.
  • Workaround - You can try adding logic in gsp but it may restrict regular adding of entitlements also from Admin --> Roles >> Entitlements 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Sampo
Regular Contributor
Regular Contributor

Hi Rushikesh, 

thanks for your reply! Which GSP file should be modified to filter list of available entitlements?

best regards,

Sampo

roles/addentitlementorole.gsp


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

@Sampo you can use application role.. which will restrict the person to only one endpoint.

Question is about role management and not access request 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

I meant if they are trying to add entitlement to a role and they want to restrict..

Application role is a way to do so as it only shows entitlement of a particular endpoint.

Sampo
Regular Contributor
Regular Contributor

Hi NM, 

thanks for the idea. Application role might be a good solution, though it will limit the role to entitlements in one endpoint only. According to my initial tests it looks like we can assign users application roles from technical rules too (though the Object type option in technical rules only mentions Enterprise roles) so we'll explore this option, too.

best regards,

Sampo

 

You can't assign app roles from technical rules


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

Currently only enterprise roles are supported.

Sampo
Regular Contributor
Regular Contributor

It still seems to work, in the below example I triggered a rule for a user whose user.customproperty46 contains a name of an enterprise role and user.customproperty64 contains a name of an application role. When the technical rule is triggered, Saviynt creates pending tasks for entitlements in the enterprise role and entitlements in the application role. When the tasks for the app role are completed, user is shown as a member of the role.

Sampo_0-1723643562869.png

Not sure if we would run into trouble later with this approach, if assigning application roles from technical rules is not officially supported.

if its working, that's great, and all required access are provided, but does assigned from roles are getting populated? validate under view existing

rushikeshvartak_0-1723643806954.png

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Yes I can see the application role name in "Assigned from role(s)" column in the View Existing Access -> Entitlements. The assignedfromrole and assignedfromrule columns are also populated in the account_entitlements1 table

best regards,

Sampo

Then it should not be an issue. All use cases will work. Do full testing from ARS also.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

Enterprise role might consist application role as child role..

Sampo
Regular Contributor
Regular Contributor

It looks like users can still use the Groups tab in Manage Roles to add any other role as a child role of roles that they are owner of. This is a security issue, so is it possible to limit the roles that user can add a a child role so that they could only pick child roles that they own?

If not, we may need to hide the Groups button from Tab Config - Roles - ARS to Roles Update so that only admins can manage child roles from Admin - Roles screen or send all role updates to admins for approval.

  • Creating roles without entitlement is not good practice 
  • You can make role type as read only using gsp update during role modification process

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Sampo
Regular Contributor
Regular Contributor

Another issue is that the role owner can still modify the type of the application role to enterprise role or change the endpoint of the application role to something else. I wonder if this can be prevented or is it possible to add a check to role modification workflow to detect if role type is changed, role endpoint is changed or child roles are added?