Saviynt Forums

ejeong · ‎10/13/2022

We had a lot AD groups before Saviynt go-live

we imported these groups as entitlements.

Also there are new groups created after saviynt go-live.

I noticed that when group is created by Saviynt, it's creating role (Type = Entitlement). After provisioning, it's creating entitlement record.

Now we let entitlement owner add/remove entitlement owner via "edit existing entititlement" but this doesn't apply any workflow. So, we may need to hide this tile and ask entitlement owner to update owner using "Manage Roles" feature but we are concerning how we can migrate existing group that only entitlement records are only existing. Is there a way we can migrate this to Roles (Type=Entitlement) as well?

Thanks

ejeong · ‎10/13/2022

Or another option is

Is there a way to apply workflow if entitlement is updated via "Edit exsiting entitlements"?

rushikeshvartak · ‎10/14/2022

You can use role import sheet to convert entitlement to role type entitlement

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

ejeong · ‎10/14/2022

I imported one group with csv in roles but this role didnt seem linked with existing entitlement record.

Can you pls give me more detail about role import sheet?

avinashchhetri · ‎10/14/2022

Hello @ejeong,

The "legacy" groups from AD, if they are active, should show up under Manage Roles. Once you click on them, the role object is dynamically created.

What is the exact Saviynt SP3.X version that you are on ?

Regards,
Avinash Chhetri

ejeong · ‎10/14/2022

We are on 3.11 but i dont see them under roles. Is there any configuration required for this?

avinashchhetri · ‎10/14/2022

@ejeong,

No, There isnt any specific configurations. Are you only able to see the Saviynt created Groups under Manager Roles (Manage AD Groups) tile ?

As long as the AD Groups are active and the endpoint set up for Group Management, they should show up. The version you are on should support this as this functionality or rather support for existing AD Groups for Group Management was introduced sometime in late 2019/2020.

Regards,
Avinash Chhetri

ejeong · ‎10/14/2022

I can see only group created by Saviynt via manage roles.. not group existed in AD before ww have Saviynt. Old groups are in entitlements only..

avinashchhetri · ‎10/14/2022

@ejeong,

Something doesn't look right, Ideally, this is how it is supposed to look like.

The ones with the delete icon are the one which are created from Saviynt or have the Role Object present. Legacy Groups shows up as the third option, on clicking the edit button, it dynamically creates the Role Object and then if you re-visit the above page, it should now have the delete icon.

Maybe you can try and use the API to see if this functionality is working from API's ?

For a legacy Group, see if you are able to send an update request and if that is successful, does it show up in the UI under Manage Roles ?

API : {{url}}/ECM/api/v5/createrequest

Request Payload :

{
"rolename":"CN=XYX,...,DC=com",
"accesstype": "roles",
"roletype": "ADGroup",
"requesttype": "update",
"requestor": "<<UserName>>",
"entitlementtype": "MemberOf",
"endpoint": "<<EP_Name>>",
"securitysystem": "<<SS_Name>>",
"description": "Updating the description from API"
}

Regards,
Avinash Chhetri

ejeong · ‎10/14/2022

You were correct.

I tried to search the roles under Admin -> Roles... and I couldnt see anything so I considered this won't be visible in "Manage Roles"

But actually, all groups were available as role in Manage Roles. So, I think we can hide "Manage Entitlement" Tile from End Users.

One another question,

Let's say we have workflow for Roles in Global Config and we have another worklfow under Entitlement type.

If we edited AD groups via Manage Roles - memberOf then is it automatically triggering workflow under entitlement type? Or should we use only workflow in Global Config only?

Please confirm..

Saviynt Forums

Entitlement Onwer Update Workflow