Click HERE to see how Saviynt Intelligence is transforming the industry. |
01/30/2024 07:28 AM
Hi,
Is it achievable to filter which entitlements are included in out of band access detection?
For example, I want to enable Out of Band Access Detection for Active Directory. An end user may request for a particular AD entitlement (Entitlement A). Saviynt will provision Entitlement A to the user's AD account.
However, I have an external script that picks up users in Entitlement A, performs some action, then removes the users from Entitlement A. In this case, Saviynt does not perform the remove access. The next time Saviynt reconciles from AD and detects the user was removed from Entitlement A, it will create a task to add Entitlement A back to the user because I have selected "Deprovision Access And Re-create Access Request" as the Action for Out of Band Access Detection on the AD endpoint.
I want this action to be taken during out of band access detection on all entitlements except Entitlement A.
Is it achievable to add an entitlement filter, or something similar, to out of band access detection?
Thanks.
Solved! Go to Solution.
01/30/2024 07:38 AM
Below are option
01/30/2024 08:11 AM
Thanks Rushikesh,
I have a few follow up questions to the options you provided.
How would I configure a custom analytics report to achieve this goal? Is this actionable analytics? If so, what action would I take?
Would this be configured as an approval workflow tagged to the Security System?
02/13/2024 09:42 AM
HI @abm15 , you just create a replica of OOB analytic report --> Use same settings as original --> In SQL query add one more condition to exclude entitlement A --> Schedule analytic daily (frequency that you need).
You don't need to do anything in my opinion if I have understood your query. Your analytic will not pick this entitlement at all.
Now, if you wants the entitlement to be requested ONLY ONCE. And after your script removed and you don't want user to request again. Can be handled by Config for Requestable Entitlement in ARS, you can either use a dynamic attribute to check if user had requested this before and use that dynamic attribute in Config for Requestable Entitlement in ARS.
Or you could also use workflow rejection as suggested in above post. I think the question i syou want to requested ONCE only or not. If not then just a new cloned analytic report with exclusion will work.
Thanks,
Amit
02/13/2024 12:38 PM
Thanks Amit,
Are you recommending to use analytics for the out of band access configuration? And not the endpoint config "Action for Out of Band Access Detection"?
02/13/2024 12:58 PM
If you need custom configuration then use custom analytics report such as exclude certain entitlement
02/13/2024 01:00 PM
I have a few follow up questions to the options you provided.
How would I configure a custom analytics report to achieve this goal? Is this actionable analytics? If so, what action would I take?
you can take Deprovision access action from analytics not create task https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter17-EIC-Analytics/Managing-An...
Would this be configured as an approval workflow tagged to the Security System?
Yes
02/13/2024 09:12 AM
Hi Rushikesh,
Can you please share more detail on how to achieve this?
Thanks.