Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Creating logical apps from AD and Azure Ad.

Abhay_Yadav
New Contributor II
New Contributor II

‎09/17/2024 05:28 AM - last edited on ‎09/17/2024 07:17 AM by Community Manager

Hi @rushikeshvartak , @NM 

We have a similar requirement as this post for creating logical apps from AD and Azure Ad.

1. Should we create a separate connection and security system for Logical apps or should be use the main AD security system.

2. Our Account name rule is present in connection for generating unique DN instead of at Endpoint level. How do we manage this? Do we remove the Account name rule from connection and move it to endpoint. Or is endpoint account name rule different from connection.

3. We have older AD accounts that do not match with our new Account name rule. When they will request for logical app will it try to create a new AD account for them? how do we avoid this.

4. How do w make sure only users who already have AD account can request for Logical apps.

I have gone through this doc but it does not have anything about above questions. https://docs.saviyntcloud.com/bundle/KBAs/page/Content/Logical-Active-Directory-Applications.htm

Can you please help me with above queries.

Regards,

Abhay Yadav

[This post has been edited by a Moderator to move to its own thread.]

Labels:
0 Kudos
5 REPLIES 5

rushikeshvartak
All-Star
All-Star

‎09/17/2024 05:35 AM

  • Use same connection for logical apps
  • Move to Endpoint level
  • if account is exists then logical apps reuse existing account
  • you can use access query to restrict restrictions 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

NM
Honored Contributor II
Honored Contributor II

‎09/17/2024 08:31 AM

@Abhay_Yadav what I will suggest use a seperate connection, ss and endpoint.

0 Kudos

Abhay_Yadav
New Contributor II
New Contributor II
In response to NM

‎09/17/2024 09:35 AM

Hi @NM ,

Thanks, I'm still not sure if AD connection Account name Rule can be moved to endpoint level as it is used for DN generation and has to check uniqueness against other AD accounts. 

Is the account name rule in AD connection different from Account name rule in endpoint.

As on recon we are mapping samaccountname of AD to AD account in saviynt. 

Also, another issue would be that current account name logic that we are using for creating DN does not match with the DNs of the accounts that are already present in the system. So, if saviynt's account name rule could not find any account with that name will it try to create new account.

Shouldn't saviynt just check if the parent account exists then just add role to it. Why is it even trying to generate a new account for users who already have an account. 

 

Abhay_Yadav_0-1726590507340.png

Regards,

Abhay Yadav

0 Kudos

NM
Honored Contributor II
Honored Contributor II
In response to Abhay_Yadav

‎09/17/2024 09:54 AM

Hi @Abhay_Yadav nope you can define account name in endpoint as well in connection.

As with logical application we create seperate endpoint .. so as per saviynt if account is not present under it will try to create one.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Abhay_Yadav

‎09/17/2024 10:00 AM

  • You can keep account name as Username and save DN in account iD

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC