Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Exclude entitlements from out of band access detection

abm15
New Contributor III
New Contributor III

Hi,

Is it achievable to filter which entitlements are included in out of band access detection?

For example, I want to enable Out of Band Access Detection for Active Directory. An end user may request for a particular AD entitlement (Entitlement A). Saviynt will provision Entitlement A to the user's AD account.

However, I have an external script that picks up users in Entitlement A, performs some action, then removes the users from Entitlement A. In this case, Saviynt does not perform the remove access. The next time Saviynt reconciles from AD and detects the user was removed from Entitlement A, it will create a task to add Entitlement A back to the user because I have selected "Deprovision Access And Re-create Access Request" as the Action for Out of Band Access Detection on the AD endpoint.

I want this action to be taken during out of band access detection on all entitlements except Entitlement A.

Is it achievable to add an entitlement filter, or something similar, to out of band access detection?

Thanks.

7 REPLIES 7

rushikeshvartak
All-Star
All-Star

Below are option

  • You can create custom analytics report
  • You can auto reject request if request is raised for such entitlement and source is via outofband ( some identifier) should be there

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Thanks Rushikesh,

I have a few follow up questions to the options you provided.

  • You can create custom analytics report

How would I configure a custom analytics report to achieve this goal? Is this actionable analytics? If so, what action would I take?

  • You can auto reject request if request is raised for such entitlement and source is via outofband ( some identifier) should be there

Would this be configured as an approval workflow tagged to the Security System?

Amit_Malik
Valued Contributor II
Valued Contributor II

HI @abm15 , you just create a replica of OOB analytic report --> Use same settings as original --> In SQL query add one more condition to exclude entitlement A --> Schedule analytic daily (frequency that you need).

You don't need to do anything in my opinion if I have understood your query. Your analytic will not pick this entitlement at all.

Now, if you wants the entitlement to be requested ONLY ONCE. And after your script removed and you don't want user to request again. Can be handled by Config for Requestable Entitlement in ARS, you can either use a dynamic attribute to check if user had requested this before and use that dynamic attribute in Config for Requestable Entitlement in ARS. 

Or you could also use workflow rejection as suggested in above post. I think the question i syou want to requested ONCE only or not. If not then just a new cloned analytic report with exclusion will work.

Thanks,

Amit

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

abm15
New Contributor III
New Contributor III

Thanks Amit,

Are you recommending to use analytics for the out of band access configuration? And not the endpoint config "Action for Out of Band Access Detection"?

If you need custom configuration then use custom analytics report such as exclude certain entitlement 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

I have a few follow up questions to the options you provided.

  • You can create custom analytics report

How would I configure a custom analytics report to achieve this goal? Is this actionable analytics? If so, what action would I take?

you can take Deprovision access action from analytics not create task https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter17-EIC-Analytics/Managing-An...

  • You can auto reject request if request is raised for such entitlement and source is via outofband ( some identifier) should be there

Would this be configured as an approval workflow tagged to the Security System?

Yes


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi Rushikesh,

Can you please share more detail on how to achieve this?

Thanks.