and more in a single search tool across platforms. Read the announcement here. |
03/26/2024 07:37 AM
We notice that Saviynt users can Modify Access on an AD Endpoint and see the current group membership (entitlements) while other users that are also part of the same AD groups do not see their current group membership when using the Modify Access option.
Unless I misunderstand something, I think this is cause by the fact that we can see Accounts on the AD child Endpoint Entitlements when accesses are granted from Saviynt ARS while accesses that were granted outside Saviynt (directly in AD from before that applications were integrated) and imported are not showing on the AD child Endpoint Entitlement but only on the parent AD endpoint.
Is there a way to import accounts and/or accesses or something else that can be done to “sync” the parent AD Entitlements accounts with the child ones that get associated to AD Endpoints from the filters on the connection?
Example:
Thank you for the help.
03/26/2024 08:38 PM
Currently its not supported
Refer https://ideas.saviynt.com/ideas/EIC-I-3938
03/27/2024 12:27 PM - edited 03/27/2024 12:29 PM
Hi Rushikesh,
Thank you for the reply. We found out that the performGroupAccountLinking can be configured to TRUE on the groupimportmapping section of the AD connector to achieve what we were trying to do.
Configuring the Integration for Importing Accounts and Access (saviyntcloud.com)
This is what we were looking for. After enabling this option and running import jobs again the child endpoind entitlements were updated as expected.
We ran into the Data inconsistency error described here and worked to the suggested solution to get back into business but the end results is looking good as far as I can see for now.
It would be nice to be able to change a setting like this on the AD connection without breaking all AD Endpoints, even temporarily...
Access request form is not loading with "Data inco... - Saviynt Forums - 55885
Regards,