Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Logical Active Directory Applications

wizzy
New Contributor III
New Contributor III

 

Hello,

 

We have active directory currently connected to Saviynt. This active directory has all the applications entitlements (OU, Group etc). We want to create application widget in the request access portal for each of this application entitlement in AD. How do I create the application and assign the entitlement to each application. Please advise, thank you.

 

 

12 REPLIES 12

rushikeshvartak
All-Star
All-Star

Use endpoint filters functionality 

Specify this parameter to specifically filter and associate endpoints (applications) to an Active Directory account after the account is imported. On filtering applications, you can run operations such as creating campaigns, configuring analytics, or raising access requests for providing authorization and privileges only for specific applications and not all the applications. If the application does not exist in EIC, an endpoint is automatically created under the security system to represent it. This parameter is used in conjunction with the Referenced Account parameter on the Account details page.

For example, an Active Directory security system exists in EIC, and three other applications, ServiceNow, Slack, and Zendesk, that use Active Directory are present in the target system. If you want to provide authorization and privileges only to ServiceNow, specify ServiceNow as an endpoint filter and the ServiceNow endpoint is automatically created under the Active Directory security system. The child accounts of ServiceNow are linked to their parent account in Active Directory in the "<Accountname> (AccountKey)" format in the Referenced Account parameter in theAccount details page.

Example 1: Import users belonging to an application named App1_Child_Endpoint.

JSON
{
"App1_Child_Endpoint": [
{
"memberOf": [
"CN=ADGroup15,DC=sav,DC=com",
"CN=ADGroup12,DC=sav,DC=com",
"CN=ADGroup16,DC=sav,DC=com"
]
}
]
}
 

Example 2: Import users belonging to applications named Sampletest AD Application and Jira AD Application.

You can also use wildcards in the user name for importing users. For example, if you specifyACL_Okta_% in the CN attribute, EIC imports all the users whose name starts with ACL_Okta).

JSON
{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
],
"Jira AD Application": [
{
"memberOf": [
"CN=ACL_Jira_All Menu Pages - Administrators,OU=Atlassian,OU=Resources,OU=gh,DC=test,DC=local",
"CN=ACL_Jira_All Menu Pages - Developers,OU=Atlassian,OU=Resources,OU=gh,DC=test,DC=local",
"CN=ACL_Jira_All Menu Pages - Users,OU=Atlassian,OU=Resources,OU=gh,DC=test,DC=local",
"CN=ACL_Jira_API_Developers,OU=Atlassian,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}
 

Example 3: Import accounts from servers.

Syntax:

JSON
{
"Sharepoint Server": [
{
"memberOf": [
"%OU=EPO,OU=ManagedSystem,OU=Client,DC=SAV,DC=POC,DC=SAVADMIN,DC=com"
]
}
]
}

 

https://docs.saviyntcloud.com/bundle/AD-v24x/page/Content/Advanced-Configuration-for-AD-Application-...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak 

How do I create the endpoint filter functionality? is it by creating a new Application from application onboarding as shown here?

 

From the screen shot below: Where do I create System Name?  What is the Organization?

fLogic_app.PNG

Create Application using standard process 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak 

So I created the App : Advice_calc  through the Security system as you advised, and I selected the AD where the App entitlements is int the connection box. See the screen shot for the Security system settings. Where do I add the App entitlement in this setting as you stated  here:

{
"App1_Child_Endpoint": [
{
"memberOf": [
"CN=ADGroup15,DC=sav,DC=com",
"CN=ADGroup12,DC=sav,DC=com",
"CN=ADGroup16,DC=sav,DC=com"
]
}
]
}
logic_App_created.PNG

 

Its should be in connection - endpoint filter block


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hello @rushikeshvartak 

When creating another connection to the AD. In the Endpoint filter box.Please see the attached screenshot and advise if that is the correct Endpoint filter value for the app: AnsibleTower and as you can see it has two OUs and one DC. I made the CN each app entitlement roles. Please advise if this is the correct mapping and I will do same for the other apps and groups as shown in the Groups OU here.:

AD_Apps_Entitlement_Filter.PNG

[This message has been edited by moderator to mask url]

Its correct configs


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hello @rushikeshvartak 

Thank you for confirming, I inserted the endpoint filter as shown above. But the connection was failing and I wanted to check with you to see if you have an idea why? Do I need to fill the search filter box too or just the endpoint filter?error_testing_connection.PNG

Fix you connection issue and check logs


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hello @rushikeshvartak 

I was able to fix the Connection - I didn't create a new connection. Instead I used one of the existing AD connections. I just added the Endpoint filters. Will creating an AD Logcall Application : FieldShare. The App is showing in Saviynt when requesting it and in the security system Endpoint. But the App Entitlements are not showing. See the screen shots.Please advise

Entitlement_type2.PNGEntitlement2.PNG

[This message has been edited by moderator to mask company name]

👍Please click the 'Accept As Solution' button on the reply (or replies) that best answered your original question.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

wizzy
New Contributor III
New Contributor III

Hello @rushikeshvartak 

 

Is this same as this: Logical Active Directory Applications (saviyntcloud.com)? if yes, can you show me with screen shot how to create the application from steps 1 through 5? Thank you