Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/06/2024 04:01 AM
Hello,
We use Azure as a single IDP and all application use SAML Federation with Azure to manage our authentication.
Therefore, to be granted access to an application, for instance Slack, a user in Saviynt will need both the Slack entitlement (for exemple an Admin role) and an Azure entitlement corresponding to the Azure application providing the federation to Slack.
We do not want our end users to have to request the Azure entitlements manually so we plan to use entitlement maps to automatically provision and deprovision access to the Azure application:
For instance, say we have two entitlements for Slack, User & Admin
For both entitlements we can add an entitlement map to the Slack Azure application entitlement so that whenever a users request the user or admin role, the slack azure application entitlement will be automatically requested.
However, there is an issue with access removal with this model:
If a user has both the users and admin role, and for some reason we want to remove the admin role,
the entitlement map will also create a remove access task for the slack azure application entitlement: in the end, the user will still have the user role but not the azure entitlement and won't be able to SSO to Slack.
What would be the best solution in this case to avoid this behaviour ?
Is it maybe possible to link an external entitlement to the endpoint/account level so that whenever a user has an account in an endpoint, he is guaranted to have that entitlement an another endpoint ?
Thanks
Solved! Go to Solution.
09/06/2024 04:07 AM - edited 09/06/2024 04:11 AM
@ArW ,
You can use Entitlement with new account for this use case
With the solution you have , you need to maintain entitlement map for all entitlement. But with above , if user is requesting app access for first time , they will added to SSO group with account request (whatever access they request with it)
The issue of removal that you are facing with map will also not occur in this case. This is how we have configured it. For removal , you can use analytics when account is deleted from / removed from target or use rules , when user leaves - remove SSO grps and other accounts and accesses.
09/06/2024 04:08 AM
Hi @ArW , 2 options
1 you can use entitlement with new account feature .. which will assign access as soon as a person request for an account on that endpoint.
2) disable remove ent checkbox which will not create the task and then remove entitlement via analytics when account gets deleted in slack endpoint.
09/06/2024 04:18 AM
Hello @Amit_Malik @NM
Thank you for your reply, the entitlement with new account feature seem indeed to match exactly our use case !
I have two questions regarding this feature
09/06/2024 04:31 AM
Below links have sample queries on creating add access task via analytics
https://forums.saviynt.com/t5/identity-governance/add-access-actionable-analytics/m-p/66629#M41590
09/06/2024 04:20 AM
@ArW ,
Yes same case with entitlement with new account it will create a add access task
2)for existing user you can run a one time analytics which will add all the users in the group via add access task.
09/06/2024 04:28 AM
Ok thanks a lot for your reply !