and more in a single search tool across platforms. Read the announcement here. |
10/13/2022 10:09 PM
We had a lot AD groups before Saviynt go-live
we imported these groups as entitlements.
Also there are new groups created after saviynt go-live.
I noticed that when group is created by Saviynt, it's creating role (Type = Entitlement). After provisioning, it's creating entitlement record.
Now we let entitlement owner add/remove entitlement owner via "edit existing entititlement" but this doesn't apply any workflow. So, we may need to hide this tile and ask entitlement owner to update owner using "Manage Roles" feature but we are concerning how we can migrate existing group that only entitlement records are only existing. Is there a way we can migrate this to Roles (Type=Entitlement) as well?
Thanks
Solved! Go to Solution.
10/13/2022 10:22 PM
Or another option is
Is there a way to apply workflow if entitlement is updated via "Edit exsiting entitlements"?
10/14/2022 04:27 AM
You can use role import sheet to convert entitlement to role type entitlement
10/14/2022 06:58 AM
I imported one group with csv in roles but this role didnt seem linked with existing entitlement record.
Can you pls give me more detail about role import sheet?
10/14/2022 06:49 AM - edited 10/14/2022 07:44 AM
Hello @ejeong,
The "legacy" groups from AD, if they are active, should show up under Manage Roles. Once you click on them, the role object is dynamically created.
What is the exact Saviynt SP3.X version that you are on ?
10/14/2022 06:57 AM
We are on 3.11 but i dont see them under roles. Is there any configuration required for this?
10/14/2022 07:43 AM - edited 10/14/2022 07:44 AM
No, There isnt any specific configurations. Are you only able to see the Saviynt created Groups under Manager Roles (Manage AD Groups) tile ?
As long as the AD Groups are active and the endpoint set up for Group Management, they should show up. The version you are on should support this as this functionality or rather support for existing AD Groups for Group Management was introduced sometime in late 2019/2020.
10/14/2022 07:47 AM
I can see only group created by Saviynt via manage roles.. not group existed in AD before ww have Saviynt. Old groups are in entitlements only..
10/14/2022 08:18 AM
Something doesn't look right, Ideally, this is how it is supposed to look like.
The ones with the delete icon are the one which are created from Saviynt or have the Role Object present. Legacy Groups shows up as the third option, on clicking the edit button, it dynamically creates the Role Object and then if you re-visit the above page, it should now have the delete icon.
Maybe you can try and use the API to see if this functionality is working from API's ?
For a legacy Group, see if you are able to send an update request and if that is successful, does it show up in the UI under Manage Roles ?
API : {{url}}/ECM/api/v5/createrequest
Request Payload :
{
"rolename":"CN=XYX,...,DC=com",
"accesstype": "roles",
"roletype": "ADGroup",
"requesttype": "update",
"requestor": "<<UserName>>",
"entitlementtype": "MemberOf",
"endpoint": "<<EP_Name>>",
"securitysystem": "<<SS_Name>>",
"description": "Updating the description from API"
}
10/14/2022 07:11 PM
You were correct.
I tried to search the roles under Admin -> Roles... and I couldnt see anything so I considered this won't be visible in "Manage Roles"
But actually, all groups were available as role in Manage Roles. So, I think we can hide "Manage Entitlement" Tile from End Users.
One another question,
Let's say we have workflow for Roles in Global Config and we have another worklfow under Entitlement type.
If we edited AD groups via Manage Roles - memberOf then is it automatically triggering workflow under entitlement type? Or should we use only workflow in Global Config only?
Please confirm..