Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need specific entitlements visible to specific users in the ARS/Request Access Page

Go to solution
gazanjum
Regular Contributor
Regular Contributor

‎04/19/2024 09:30 AM

I am looking for a query to add to the 'Config for Requestable Entitlement in ARS' where the specific entitlements are visible to requestor based on user group he/she belongs to. For instance,

First Use case:

  1. user1 logs in to Saviynt and he is part of usergroup1. He goes to Request New Access > Endpoint1.
  2. He should be able to see only Entitlement1 when he clicks ‘Add’> ‘AzureADGroup’

Second Use case:

  1. user2 and user 3 logs in to Saviynt and he is part of user group2. He goes to Request New Access > Endpoint1(same).
  2. He should be able to see only Entitlement2 when he clicks ‘Add’> ‘AzureADGroup’

Third Use case:

  1. user1 logs in to Saviynt and he is part of user group3. He goes to Request New Access > Endpoint1(same).
  2. He should be able to see only Entitlement3 when he clicks ‘Add’> ‘AzureADGroup’

Users could be part of more than 1 groups and would require to request multiple entitlements

This visibility of Entitlement should be proportional to which usergroup the user belongs to.

 

 

0 Kudos
13 REPLIES 13

Go to solution
rushikeshvartak
All-Star
All-Star

‎04/19/2024 10:40 AM

  • Follow below approch
    • Create Dynamic attribute on request form it will show user is part of which user group
    • based on dynamic attribute selected configure entitlement type query
    • make sure group name are stored in entitlement's custom property

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Go to solution
gazanjum
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎04/19/2024 11:12 AM - edited ‎04/19/2024 11:13 AM

@rushikeshvartak Could you please help me with a base query

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to gazanjum

‎04/19/2024 11:20 AM

usgroups_users is table and ${user.id} to get end user accordingly you can prepare query


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Go to solution
gazanjum
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎04/19/2024 11:28 AM

Already using this table to achieve use case 1 and use case 2, my issue is use case 3 where user is part of more than 1 group.

 

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to gazanjum

‎04/19/2024 11:51 AM

Then entitlement customproperty store multiple value & ent type query use FIND_IN_SET


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Go to solution
gazanjum
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎04/20/2024 09:01 AM

Can you please let me know under which tab we need to add dynamic attributes specifically for user and if you can help me with base query used to compare this dynamic attribute to achieve.

0 Kudos

Go to solution
gazanjum
Regular Contributor
Regular Contributor

‎04/20/2024 09:00 AM - edited ‎04/20/2024 09:01 AM

.

0 Kudos

Go to solution
PremMahadikar
All-Star
All-Star

‎04/20/2024 03:27 PM

Hi @gazanjum ,

This should be easy - Try below

  1. I have three user groups:
    User groupUser group key
    Usergroup17
    Usergroup28
    Usergroup39
  2. I have four users mapped to below user groups
    UsernameGroup Name
     Vikas_testUsergroup1,Usergroup2,Usergroup3
    Charlie_testUsergroup3
    Aravind_testUsergroup1,Usergroup2
    Michael_testUsergroup2
  3. I have three Azure AD entitlement:
    EntitlementCp8
    Azure AD Group1 (Ex: SuperAdmin)7
    Azure AD Group2 (Ex: ReadOnly)8
    Azure AD Group3 (Ex: ReadWrite)9
  4. If 1,2,3 is right, you don't require a dynamic attribute (DA) 
  5. Configure below query in endpoint->entitlementtype->Config for Requestable Entitlement in ARS
ev.customproperty8 IN (SELECT user_groupkey FROM Usergroup_users WHERE userkey = ${requestee})

Working preview:

PremMahadikar_0-1713651501624.png

PremMahadikar_1-1713651609780.png

In case DA should be visible for user to see which group he belongs to- You can just configure DA with below query, but don't change anything in above configurations.

 

Valueselect group_concat(ug.USER_GROUPNAME) as ID from user_groups ug, usergroup_users ugu where ug.USERGROUPKEY=ugu.USER_GROUPKEY and ugu.USERKEY=${user.id}

 

If you find the above response useful, Kindly Mark it as Accept As Solution and hit Kudos

Best,
Prem Mahadikar

Go to solution
gazanjum
Regular Contributor
Regular Contributor
In response to PremMahadikar

‎04/21/2024 08:08 AM - edited ‎04/21/2024 09:24 AM

Hi @PremMahadikar ,

Thank you for sharing it in a detailed manner. 😊

We have previously configured DA in the same manner as you have mentioned above as we were not able to find any other workaround 😅 and tried with DA however it is not a requirement for users to see which user group they belong.

 

I have a question on the above details:

We have also created a different query which helps us achieve the result if only 1 usergroup needs to be added to Entitlement

Our requirement is: If more than one user group should be able to see the same entitlement, how can we add more than one(like two or three) user_groupkey on the CustomProperty of single Entitlement? What changes are required in the below query of entitlement type to be able to read and compare more than 1 group from a single entitlement's Customproperty?

ev.customproperty8 IN (SELECT user_groupkey FROM Usergroup_users WHERE userkey = ${requestee})

 

 

 

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to gazanjum

‎04/21/2024 10:59 AM 

ev.customproperty8 IN (SELECT user_groupkey FROM Usergroup_users WHERE userkey = ${requestee})

 

Above query is working for multiple.

 

rushikeshvartak_1-1713722353893.png

rushikeshvartak_2-1713722369136.png

 

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
gazanjum
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎04/21/2024 11:09 AM - edited ‎04/21/2024 11:21 AM

Hi @rushikeshvartak 

It is not working, I already tried it

I am part of 7 and not part of 9, however I am not able to see the entitlement at all. The Entitlement Type is AADGroup

gazanjum_0-1713722677771.pnggazanjum_1-1713722706553.png

gazanjum_2-1713722726643.png

The problem is it is reading whatever is the first value that is written in the CP of Entitlement. 

If I reverse it and write 7,9 instead of 9,7 it will show me the entitlement. This is not ideal when requestor is part of the second group and not the first. The flow should be that if the user is not part of 9, it should read the next value i.e., 7 in CP and if user is part of 7, the entitlement should be visible. If the user is not part of 7 or 9 only then the Entitlement should not be visible at all, which is not happening here.

0 Kudos

Go to solution
gazanjum
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎04/21/2024 11:20 AM - edited ‎04/21/2024 11:20 AM

@rushikeshvartak 

FYR:

I am part of 7 but not part of 9, since 7 is added as first in the CP(7,9) it is showing me the Entitlement whereas as showcased above it when 9,7 is added in CP it does not show me the Entitlement.

gazanjum_3-1713723443776.png

gazanjum_4-1713723506900.png

 

0 Kudos

Go to solution
PremMahadikar
All-Star
All-Star
In response to gazanjum

‎04/21/2024 12:08 PM - edited ‎04/21/2024 12:27 PM

Hi @rushikeshvartak , the same query couldn't help here has he wants to achieve user part of multiple groups and request multiple entitlements.

@gazanjum , I solved it like below:

You don't have to configure entitlements CP's now and even DA is not required, instead add entitlements inside the user group:

PremMahadikar_0-1713725980228.png

  1. I have three user groups:
    User groupentitlement
    Usergroup1SuperAdmin
    Usergroup2ReadOnly, ReadWrite
    Usergroup3ReadWrite, SuperAdmin
  2. I have four users mapped to below user groups
    UsernameGroup Name
     Vikas_testUsergroup1,Usergroup2,Usergroup3
    Charlie_testUsergroup3
    Aravind_testUsergroup1,Usergroup2
    Michael_testUsergroup2,Usergroup3
  3. Configure below query in endpoint->entitlementtype->Config for Requestable Entitlement in ARS
ev.id IN (SELECT uge.entitlement_valuekey FROM Usergroup_users ugu, Usergroup_entitlements uge WHERE uge.user_groupkey=ugu.user_groupkey and ugu.userkey = ${requestee})

Working preview:

PremMahadikar_1-1713726237608.png

If you find the above response useful, Kindly Mark it as Accept As Solution and hit Kudos

Best,
Prem Mahadikar
Copyright © 2024 Khoros, LLC