Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/14/2024 05:22 AM
We have a use case where users should be able to manage roles they own and add or remove entitlements from the role. But there should be a limitation which entitlements they can add to the role.
Currently when user starts managing a role and clicks the 'Add Entitlement' button, EIC shows all entitlements in the system. So users can add an entitlement that they should not be able to add to the role. Is it possible to filter this list based on user's SAVRole or some other criteria? Filtering could be based on endpoint, entitlement type or custom property of the entitlement.
best regards,
Sampo
08/14/2024 05:26 AM
08/14/2024 05:28 AM - edited 08/14/2024 05:28 AM
Hi Rushikesh,
thanks for your reply! Which GSP file should be modified to filter list of available entitlements?
best regards,
Sampo
08/14/2024 05:29 AM
roles/addentitlementorole.gsp
08/14/2024 05:59 AM
@Sampo you can use application role.. which will restrict the person to only one endpoint.
08/14/2024 06:00 AM
Question is about role management and not access request
08/14/2024 06:04 AM
I meant if they are trying to add entitlement to a role and they want to restrict..
Application role is a way to do so as it only shows entitlement of a particular endpoint.
08/14/2024 06:36 AM
Hi NM,
thanks for the idea. Application role might be a good solution, though it will limit the role to entitlements in one endpoint only. According to my initial tests it looks like we can assign users application roles from technical rules too (though the Object type option in technical rules only mentions Enterprise roles) so we'll explore this option, too.
best regards,
Sampo
08/14/2024 06:39 AM
You can't assign app roles from technical rules
08/14/2024 06:42 AM
Currently only enterprise roles are supported.
08/14/2024 06:53 AM
It still seems to work, in the below example I triggered a rule for a user whose user.customproperty46 contains a name of an enterprise role and user.customproperty64 contains a name of an application role. When the technical rule is triggered, Saviynt creates pending tasks for entitlements in the enterprise role and entitlements in the application role. When the tasks for the app role are completed, user is shown as a member of the role.
Not sure if we would run into trouble later with this approach, if assigning application roles from technical rules is not officially supported.
08/14/2024 06:57 AM
if its working, that's great, and all required access are provided, but does assigned from roles are getting populated? validate under view existing
08/14/2024 07:05 AM
Yes I can see the application role name in "Assigned from role(s)" column in the View Existing Access -> Entitlements. The assignedfromrole and assignedfromrule columns are also populated in the account_entitlements1 table
best regards,
Sampo
08/14/2024 07:08 AM
Then it should not be an issue. All use cases will work. Do full testing from ARS also.
08/14/2024 06:57 AM
Enterprise role might consist application role as child role..
08/15/2024 02:14 AM
It looks like users can still use the Groups tab in Manage Roles to add any other role as a child role of roles that they are owner of. This is a security issue, so is it possible to limit the roles that user can add a a child role so that they could only pick child roles that they own?
If not, we may need to hide the Groups button from Tab Config - Roles - ARS to Roles Update so that only admins can manage child roles from Admin - Roles screen or send all role updates to admins for approval.
08/15/2024 05:00 AM - edited 08/15/2024 05:01 AM
08/15/2024 03:36 AM
Another issue is that the role owner can still modify the type of the application role to enterprise role or change the endpoint of the application role to something else. I wonder if this can be prevented or is it possible to add a check to role modification workflow to detect if role type is changed, role endpoint is changed or child roles are added?