Saviynt Forums

Jegathalayan · ‎12/27/2022

Hi Team,

We are using Saviynt v5.5 SP3, we want to give Application team's admin access so they can see User repository and completed tasks in ARS.

We have a SAV Role with this Access priveleges provided to it, these are the individual access that we have given.

ADMIN SUBMENU.ADMIN.accounts_list
ADMIN SUBMENU.ADMIN.users_list
ADMIN SUBMENU.ADMIN.entitlement_types
ADMIN SUBMENU.ADMIN.utility
ARS SUBMENU.ARS.workflowmanagement_tasklist
ARS SUBMENU.ARS.workflowmanagement_requesthome
ARS SUBMENU.ARS.jbpmworkflowmanagement_showmyhistoryrequests
ARS SUBMENU.ARS.jbpmworkflowmanagement_viewopenrequests
ARS SUBMENU.ARS.workflowmanagement_completedtasklist
ARS SUBMENU.ARS.workflowmanagement_requesthomedashboard
ARS SUBMENU.ARS.workflowmanagement_remaccess
ARS SUBMENU.ARS.jbpmworkflowmanagement_remaccess
ARS SUBMENU.ARS.arsDashboard_remaccess
ARS SUBMENU.ARS.firefighter
ARS SUBMENU.ARS.workflowmanagement_multiuseruploadpreview
ARS SUBMENU.ARS.create_userrequest
ARS SUBMENU.ARS.workflowmanagement_requesthomepam

Here we have identified that:
We have to keep SUBMENU.ADMIN.accounts_list or SUBMENU.ADMIN.roles_list available otherwise the Admin Section is not visible for the App Team.
Why is that Happening?

We also don't want to give Accounts access or entitlements access for them to avoid them from creating/modifying existing entitlements.

As per the above access, What's the approach we should do to ensure the Application Teams get Minimal access to view pending tasks, complete tasks and more importantly
they can goto Admin to view only user's list and nothing else?

Thank you and Regards,

Jegathalayan T

avinashchhetri · ‎12/27/2022

Hello @Jegathalayan,

The SAV Roles are URI based, which means you can either show or hide but might not be able to restrict access unless it is a Read Only Role. If you expose the users list page, they will be able to list and modify user attributes as well.

For restricting access to accounts, please ensure they do not have any roles which are also mapped in the Default SAV Role section of the respective connector.

In v5.5 SP3.x, for visibility into pending tasks, You may have to create a custom SAV Role with the name "ROLE_TASKADMIN" and have the following added.

Regards,
Avinash Chhetri

rushikeshvartak · ‎12/27/2022

Can you please elaborate what is use case to provide read only access to admin - users page ?

As user’s information is also visible under pending/completed task

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Jegathalayan · ‎01/02/2023

Thank you for your responses @avinashchhetri @rushikeshvartak

We will look into the access present in the default SAV Role i.e. Users SAV role given and then verify if we can remove any access that is making the Roles section appear.

We basically need to show only User List for the Application, so the application team can use the user's general details such as Site, Location and also custom properties (C.P 1 to C.50)

Please do advise if the same User information can be accessed without Admin Access, don' think that's possible as of now unless we create a report for it.

Thank you so much for your guidance.

Thank you and Regards,

Jegathalayan T

rushikeshvartak · ‎01/02/2023

Share sav role extract

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Saviynt Forums

Need to give App Team access to Users List only!