Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Computershare GEMS Application Requirement

Adithya
Regular Contributor
Regular Contributor

‎06/09/2024 07:23 PM

Hi Saviynt Team,

We have below challenges to integrate GEMS application with Saviynt. Appreciate if you can share your thoughts on how we can integrate this application with Saviynt.


1. In GEMS, users can only have one entitlement access at a time (Ent Type: userUserRole) .
2. In GEMS, a user can’t be created or exist without a entitlement access.
3. In GEMS, entitlements can’t be removed; they can only be replaced.

Topic 1:
=======
To cater "In GEMS, users can only have one entitlement at a time"; we're planning to use application based access request, and set create task action as "Remove Task for Existing Entitlements" in endpoint in entitlment type configuration.

Adithya_0-1717985907782.png

Adithya_1-1717985943795.png

So whenever end user raises request for entitlement (Ent Type: userUserRole), Saviynt will raise "Remove Access for existing entitlement (Ent Type: userUserRole)" and "raise add access task for new entitlement (Ent Type: userUserRole)". So at the same time Saviynt will raise "Remove Access and Add Access Tasks".

But, problem is "In GEMS, entitlements can’t be removed; they can only be replaced.". So, GEMS team suggested that use their replace API and move user from actual entitlement to a dummy entitlement (which doesn't give any access to GEMS).

Q1> Let's say Saviynt has used their replace API in remove access JSO; both remove access and add access tasks created. Remove access task will try to replace the entitlement and add access will try to add new entitlement.

Which task gets processed first? Is there any configuration needs to set in Saviynt, to allow add access task to process first then others? Please guide me.

Labels:
0 Kudos
2 REPLIES 2

NM
Honored Contributor II
Honored Contributor II

‎06/09/2024 09:01 PM

Hi @Adithya, keep remove access json empty it will automatically complete the task.

0 Kudos

rushikeshvartak
All-Star
All-Star

‎06/09/2024 09:36 PM - edited ‎06/09/2024 09:36 PM

  • Your configuration looks correct.
  • In remove existing access. in Add Access JSON call replace API to replace access. 
  • You can define task type priority  in global configuration.
  • rushikeshvartak_0-1717994153855.png

     

  • Task Execution Hierarchy

    Use this setting to define the hierarchy to execute the tasks in EIC. This hierarchy represents the order (sequence) in which the task types are executed after running the WSRETRY job for a request.

    By default, EIC executes the task types in the following hierarchy:

    • Add Account = 1

    • Remove Account or Remove Access = 2

    • Create New Account = 3

    • Change Password = 5

    • Enable Account = 6

    • Delete Account =8

    • Update User =9

    • Update Account =12

    • Disable Account = 14

    • Create Entitlement = 24

    • Update Entitlement - Add Access = 25

    • Update Entitlement - Remove Access = 26

    • Update Entitlement= 27

    • Delete Entitlement = 28

    • Grant Access to Firefighter ID = 29

    • Revoke Access for Firefighter ID = 30

    • Update Access End Date = 31

    • Lock Account = 32

    • Unlock Account = 33

    Note

    The numerical values of the task types are internal values assigned in EIC and they cannot be modified.

    The default order in which the task types are executed in EIC is:

    1 > 12 > 9 > 3 > 2 (remove access > remove account) > 5 > 6 > 14 > 8 > 24 > 27 > 28 > 25 > 26 > 29 > 30

    Note

    It is recommended to retain the default task execution hierarchy for the task types in EIC.

    To modify (customize) the default order in which the task types are executed in EIC, select the list of task types in the Task Execution Hierarchy field from Admin > Global Configurations > Request.

    Note

    When the Task Execution Hierarchy field is configured, it overrides the default task type execution hierarchy. EIC executes the task types in the same order in which the task types in this field were selected.

    The following options are available in the Task Execution Hierarchy field.

    • AddAccess

    • RemoveAccess

    • NewAccount

    • ChangePassword

    • EnableAccount

    • RemoveAccount

    • UpdateUser

    • UpdateAccount

    • DisableAccount

    • Create Entitlement

    • Update Entitlement

    • Delete Entitlement

    • EntitlementManagement

    • Add Child Entitlement

    • Remove Child Entitlement

    • Grant Firefighter ID

    • Revoke Firefighter ID

    • Update Access End Date

    • Lock Account

    • Unlock Account

    • Firefighter Instance Grant Access

    • Firefighter Instance Remove Access

    • Firefighter Access Alert

    • Create Organization

    • Update Organization

    For more information about the data mapping, see Database Schema Reference in Enterprise Identity Cloud Schema Guide.

     

    https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter06-EIC-Configurations/Config... 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC