there is a limitation in Saviynt as described in this forum entry Solved: AD ENDPOINT FILTER for different entitlement types - Saviynt Forums - 28469
Basically, when you have an AD endpoint, you might want to allocate different AD group child entitlements into different entitlement types. This grants you all the options in the entitlement type tab like different selector options (e.g.. table, dropdown), different descriptions, different filter settings based on dynamic attributes, etc. I have tried to circumvent this problem by modifying the endpoint filter JSON like below:
However, this does not work. It merely deactivates your entitlement.
I found a potential workaround, but it comes with another problem, so I am asking in the forum if anyone knows a solution or has a vague idea. I created separate entitlement types on the endpoint manually in Saviynt and then created pro-forma entitlements under the endpoint and entitlement type. These pro-forma entitlements map to the actual parent entitlements which are the REAL AD groups. Doing this that way actually works. However, it creates two add access tasks: one for the AD group and one for the pro-forma entitlement. Since the pro-forma entitlement is under security system Active Directory, it tries to provision it to AD even though this cannot work. Hence, the end user receives the correct AD group 🙂 but their request history shows an error for the pro forma entitlement which confuses the user thinking that their request failed.
Is it somehow possible to avoid having an add access task created for these pro-forma entitlements?
I would also appreciate to hear if you think there are other better workarounds? I guess this limitation is causing problems in other companies as well.