Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Creating entitlements via the API

New Contributor III
New Contributor III

Hi all

I wish to delegate the ability to create and update entitlements via the API (5.5SP3). Specifically to create an entitlement in an AD-based endpoint.

I identified a group in AD, and an entitlement is already reconciled in the main AD endpoint. I created a new endpoint and an entitlement type, then created an entitlement for that group in the new endpoint. However it does not reconcile. Is this because it does not exist in the ENDPOINT_FILTER in the AD connection? If this is the case, does it mean that I would need to delegate access to update the connection? This is not a satisfactory solution.

(I take it this is the only way to update a connection, seems a little odd.)

If there is no way around this, what have others done? I looked at Keycloak, which appears like it might be able to help but I know little about it so I'm reluctant to get too far down a rabbit hole with that. Or it would be relatively easy to create an intermediate REST API running as an admin which could do this, but ideally I want to avoid custom external code.

what have others done in this area?


Saviynt Employee
Saviynt Employee

Hi @DanJ 

I couldn't clearly understand what you are looking but as per what i understood, if you are using create/update entitlements Api to create/manage entitlements, then please use the AD group management

Also as you said you created a new endpoint ( under same security system ), Also what did you keep it as primary endpoint if its same SS and entitlement type . If you manage them as parent and child then it has to be present in the endpoint filter, if its two separate security system you would need to run different jobs.

If you are not clear enough, please let me know your exact requirement