Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/17/2024 05:28 AM - last edited on 09/17/2024 07:17 AM by Dave
Hi @rushikeshvartak , @NM
We have a similar requirement as this post for creating logical apps from AD and Azure Ad.
1. Should we create a separate connection and security system for Logical apps or should be use the main AD security system.
2. Our Account name rule is present in connection for generating unique DN instead of at Endpoint level. How do we manage this? Do we remove the Account name rule from connection and move it to endpoint. Or is endpoint account name rule different from connection.
3. We have older AD accounts that do not match with our new Account name rule. When they will request for logical app will it try to create a new AD account for them? how do we avoid this.
4. How do w make sure only users who already have AD account can request for Logical apps.
I have gone through this doc but it does not have anything about above questions. https://docs.saviyntcloud.com/bundle/KBAs/page/Content/Logical-Active-Directory-Applications.htm
Can you please help me with above queries.
Regards,
Abhay Yadav
[This post has been edited by a Moderator to move to its own thread.]
09/17/2024 05:35 AM
09/17/2024 08:31 AM
@Abhay_Yadav what I will suggest use a seperate connection, ss and endpoint.
09/17/2024 09:35 AM
Hi @NM ,
Thanks, I'm still not sure if AD connection Account name Rule can be moved to endpoint level as it is used for DN generation and has to check uniqueness against other AD accounts.
Is the account name rule in AD connection different from Account name rule in endpoint.
As on recon we are mapping samaccountname of AD to AD account in saviynt.
Also, another issue would be that current account name logic that we are using for creating DN does not match with the DNs of the accounts that are already present in the system. So, if saviynt's account name rule could not find any account with that name will it try to create new account.
Shouldn't saviynt just check if the parent account exists then just add role to it. Why is it even trying to generate a new account for users who already have an account.
Regards,
Abhay Yadav
09/17/2024 09:54 AM
Hi @Abhay_Yadav nope you can define account name in endpoint as well in connection.
As with logical application we create seperate endpoint .. so as per saviynt if account is not present under it will try to create one.
09/17/2024 10:00 AM