Hello,
We are implementing Saviynt on-premises and we are facing an issue when handling nested security groups which are being imported from Active Directory.
We have 2 SGs, IAMtest1 and IAMtest3, and added SG IAMtest3 as a member in SG IAMtest1 (making IAMtest1 the parent entitlement and IAMtest3 the child entitlement). This parent child association happens correctly, as shown in the image attached (child_ent).
Now, for nested groups in AD, members of nested groups receive permissions from their direct groups and also from parent groups but not the other way around. Hence, members of IAMtest1 do not implicitly receive permissions associated with IAMtest3 but members of IAMtest3 will have permissions associated with both IAMtest1 and IAMtest3.
We added account A only to IAMtest1 and account B only to IAMtest3. The expected behaviour would be:
-In account A we would see IAMtest1 as the associated entitlement
-In account B we would see IAMtest3 and its parent, IAMtest1, as the associated entitlements
However what actually happens in Saviynt is the contrary to the expected behaviour:
-In account A we see IAMtest1 and IAMtest3 as the associated entitlements
-In account B we see only IAMtest3 as the associated entitlement
This behaviour does not align with our expectations, since this will lead to an incorrect understanding of the entitlements the user actually has.
As anyone experienced similar behaviour? Is this a known bug in Saviynt?