This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Clone of ROLE_ADMIN does not provide access to the list of security systems and endpoints

krecpond
New Contributor II
New Contributor II

‎06/19/2023 03:39 PM

We have a requirement to provide admin access in PROD to engineering team based on approved requests. A SAV role ROLE_ADMIN_RESTRICTED has been created and replicated on SAV4SAV endpoint as an entitlement. This role was copied from ROLE_ADMIN.

The role has the exact same set of feature access, webservice accesses and configuration on the Create Request Home Option tab and the analytics tab.

However, users from engineering team assigned to this role are not able to see the list of security systems and endpoints.

Why is this happening when the SAV role is a copy of the ROLE_ADMIN SAV role?

Labels:
0 Kudos
6 REPLIES 6

dgandhi
All-Star
All-Star

‎06/19/2023 03:59 PM

Assign this newly created Sav Role in the connection as Default Sav Role. Once it is assigned in the connection , it should work.

dgandhi_1-1687215575962.png

 

 

Thanks,
Devang Gandhi
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.
0 Kudos

krecpond
New Contributor II
New Contributor II
In response to dgandhi

‎06/20/2023 06:12 AM

Unfortunately this solution will not work because part of the support team requires ROLE_ADMIN as persistent access and is also configured on all the connection objects. This role is equivalent to the ROLE_ADMIN except that the users in this role will be removed in 24 hrs from the time they are provisioned. This is like an emergency / "need-basis" account for engineering to perform deployments and triage P1 functionality / process issues in IGA.

Is there a viable solution for this requirement?

0 Kudos

krecpond
New Contributor II
New Contributor II

‎06/20/2023 06:13 AM

One more gap that I noticed with this role is that I am unable to manage membership to other SAV roles using this role. How can I overcome this issue?

0 Kudos

krecpond
New Contributor II
New Contributor II

‎06/20/2023 06:24 AM

Yet another gap is the ability to view the list of policies - User update rules, technical rules, organization rules, etc.

0 Kudos

naveenss
All-Star
All-Star
In response to krecpond

‎06/20/2023 06:27 AM

Hi @krecpond , for the users having custom sav role to view the policies, the user should be assigned as a rule owner.

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.
0 Kudos

krecpond
New Contributor II
New Contributor II

‎06/20/2023 06:32 AM

So basically the product is not capable of scaling up to use custom admin SAV roles. I think we will just need to use the OOTB ROLE_ADMIN and make sure that the user is removed from it when the use of the role is done by engineering in PROD. I was doing a feature parity comparison to migrate this from IIQ to Saviynt and looks like Saviynt does not support this feature.

0 Kudos
Copyright © 2023 Khoros, LLC