Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Configuring Entitlements for AD - Best Practice

Roua
Regular Contributor
Regular Contributor

Hello everyone,

I am asking for an advice on the best approach to configure entitlements for Active Directory. Specifically, I want to understand if the only way to configure these entitlements is through technical rules for each one, or if it is possible to configure them in the AD mapping, such as groupImportMapping.

For example, we have several entitlements like the following:

users.Employeeclass:      045
DN of group:         CN=test,OU=test,OU=test,OU=test,OU=test,OU=test,DC=test,DC=test,DC=test
There are more than 10 such entitlements that need to be configured.

Could someone please guide me on whether I need to create individual technical rules for each of these entitlements, or if there is a more efficient way to handle this through AD mapping configurations?

Thanks in advance for your help!

10 REPLIES 10

NM
Honored Contributor II
Honored Contributor II

Hi @Roua, do you want to create AD groups from saviynt or assign already created groups to account.

Roua
Regular Contributor
Regular Contributor

Hi @NM they are already created in AD.

NM
Honored Contributor II
Honored Contributor II

If DN of the group is matching with user property you can assign dynamically.

userNM
New Contributor III
New Contributor III

no, do not match, but the point is, if can we only do it via Technical rules?

The entitlements are coming from AD in Saviynt and we want to assign them there to the accounts and users.

So, as it was written e.g. if

users.Employeeclass= 045

then the entitlement
DN of group: CN=test,OU=test,OU=test,OU=test,OU=test,OU=test,DC=test,DC=test,DC=test

is assigned and provisioned to the target system as well.

NM
Honored Contributor II
Honored Contributor II

Hi @userNM @Roua , analytics is also an option where you can assign group on the basis of user employee class.

userNM
New Contributor III
New Contributor III

thank you! but we need to provision them as Birthrights... I think with Analitics it is not really possible...

NM
Honored Contributor II
Honored Contributor II

It is possible but if you want to provision when user is created .. then technical rule is the only option.

rushikeshvartak
All-Star
All-Star
  • Does employee class is same for multiple employees ?
  •  

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

Yes it is:

Roua_0-1722325587895.png

 

Since employee class are handy create those many rules


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.