Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Exclude entitlements from out of band access detection

Go to solution
abm15
New Contributor III
New Contributor III

‎01/30/2024 07:28 AM

Hi,

Is it achievable to filter which entitlements are included in out of band access detection?

For example, I want to enable Out of Band Access Detection for Active Directory. An end user may request for a particular AD entitlement (Entitlement A). Saviynt will provision Entitlement A to the user's AD account.

However, I have an external script that picks up users in Entitlement A, performs some action, then removes the users from Entitlement A. In this case, Saviynt does not perform the remove access. The next time Saviynt reconciles from AD and detects the user was removed from Entitlement A, it will create a task to add Entitlement A back to the user because I have selected "Deprovision Access And Re-create Access Request" as the Action for Out of Band Access Detection on the AD endpoint.

I want this action to be taken during out of band access detection on all entitlements except Entitlement A.

Is it achievable to add an entitlement filter, or something similar, to out of band access detection?

Thanks.

0 Kudos
7 REPLIES 7

Go to solution
rushikeshvartak
All-Star
All-Star

‎01/30/2024 07:38 AM

Below are option

  • You can create custom analytics report
  • You can auto reject request if request is raised for such entitlement and source is via outofband ( some identifier) should be there

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
abm15
New Contributor III
New Contributor III
In response to rushikeshvartak

‎01/30/2024 08:11 AM

Thanks Rushikesh,

I have a few follow up questions to the options you provided.

  • You can create custom analytics report

How would I configure a custom analytics report to achieve this goal? Is this actionable analytics? If so, what action would I take?

  • You can auto reject request if request is raised for such entitlement and source is via outofband ( some identifier) should be there

Would this be configured as an approval workflow tagged to the Security System?

0 Kudos

Go to solution
AmitM
Valued Contributor
Valued Contributor
In response to abm15

‎02/13/2024 09:42 AM

HI @abm15 , you just create a replica of OOB analytic report --> Use same settings as original --> In SQL query add one more condition to exclude entitlement A --> Schedule analytic daily (frequency that you need).

You don't need to do anything in my opinion if I have understood your query. Your analytic will not pick this entitlement at all.

Now, if you wants the entitlement to be requested ONLY ONCE. And after your script removed and you don't want user to request again. Can be handled by Config for Requestable Entitlement in ARS, you can either use a dynamic attribute to check if user had requested this before and use that dynamic attribute in Config for Requestable Entitlement in ARS. 

Or you could also use workflow rejection as suggested in above post. I think the question i syou want to requested ONCE only or not. If not then just a new cloned analytic report with exclusion will work.

Thanks,

Amit

Go to solution
abm15
New Contributor III
New Contributor III
In response to AmitM

‎02/13/2024 12:38 PM

Thanks Amit,

Are you recommending to use analytics for the out of band access configuration? And not the endpoint config "Action for Out of Band Access Detection"?

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to abm15

‎02/13/2024 12:58 PM

If you need custom configuration then use custom analytics report such as exclude certain entitlement 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to abm15

‎02/13/2024 01:00 PM

I have a few follow up questions to the options you provided.

  • You can create custom analytics report

How would I configure a custom analytics report to achieve this goal? Is this actionable analytics? If so, what action would I take?

you can take Deprovision access action from analytics not create task https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter17-EIC-Analytics/Managing-An...

  • You can auto reject request if request is raised for such entitlement and source is via outofband ( some identifier) should be there

Would this be configured as an approval workflow tagged to the Security System?

Yes


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
abm15
New Contributor III
New Contributor III
In response to rushikeshvartak

‎02/13/2024 09:12 AM

Hi Rushikesh,

Can you please share more detail on how to achieve this?

Thanks.

0 Kudos
Copyright © 2024 Khoros, LLC