Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does a role stay if an entitlement is removed from AD? Will Saviynt overwrite what is in AD?

johnson
New Contributor
New Contributor

‎11/28/2023 01:45 PM

If a user has a role that has three entitlements, and one of the entitlement is removed from AD will Saviynt remove the role from the user? Or will Saviynt keep the role and just remove the entitlement?

Alternatively, will Saviynt try to overwrite what is in AD and attempt to put that entitlement back? If so, is there any way to avoid Saviynt from overwriting what is in AD?

Labels:
0 Kudos
5 REPLIES 5

rushikeshvartak
All-Star
All-Star

‎11/28/2023 07:17 PM

Role is saviynt object

If a user has a role that has three entitlements, and one of the entitlement is removed from AD will Saviynt remove the role from the user? - Yes role will remain even all/some of the entitlements get removed.

Or will Saviynt keep the role and just remove the entitlement? - Entitlement will be removed if its removed from AD.

 

Alternatively, will Saviynt try to overwrite what is in AD and attempt to put that entitlement back? If so, is there any way to avoid Saviynt from overwriting what is in AD? - It will not overwrite and add entitlement back.

 
  • a

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

johnson
New Contributor
New Contributor
In response to rushikeshvartak

‎11/29/2023 09:22 AM

Is there anything which can be configured to have the role removed if the user is missing entitlements which are inside of the role?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to johnson

‎11/29/2023 01:13 PM

You can create analytics report add the entitlement based on role user has.

you can use ootb report for reference 

refer role mismatch feature https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter17-EIC-Analytics/Managing-An...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

johnson
New Contributor
New Contributor
In response to rushikeshvartak

‎11/30/2023 11:24 AM

I'm reading the Surplus Access portion, but I'm not sure it fits what I'm explicitly asking. I'm wondering if there's a way to remove a role from the user if the user is missing entitlements which are inside of the role? So they have a role and got an entitlement removed but the role remains.. is there a way to remove the role but keep the remaining entitlements?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to johnson

‎11/30/2023 08:44 PM

You can create analytics with "Deprovision Role" action for removing roles in case of missing access. 

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter17-EIC-Analytics/Managing-An...

 

Deprovision Roles

When Deprovision Role is configured as an allowed action, it removes the role from user profile in EIC. This is applicable for enterprise, application and emergency access roles. When this action is performed on a record, a task is created for removing user access for the entitlements associated with the roles.

The Analytics query must have the columns given below:
userkey - Userkey of the user to whom the account is mapped.
acctKey - Accountkey of the account from which the entitlement access will be revoked.
roleKey - Rolekey of the role from which the entitlement access will be revoked.

Sample query:

SQL
select r.ROLE_NAME,u.username as name, rua.ROLEKEY as roleKey,rua.ACCOUNTKEY as acctKey, u.USERKEY as userKey,'Deprovision Role' as 'Default_Action_For_Analytics' from role_user_account rua join user_accounts ua on ua.ACCOUNTKEY=rua.ACCOUNTKEY join users u on u.USERKEY = ua.USERKEY join roles r on r.ROLEKEY = rua.ROLEKEY where r.STATUS=1 ;
 

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC