Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Not all entitlements are visible under "Update Existing Entitlement"

Go to solution
indrahema95
Regular Contributor
Regular Contributor

‎12/20/2023 04:29 AM

Hi,

We have created a sav role through which users should perform create and update entitlements. Create entitlements showing all the information but if we go to the update existing entitlements it is not showing all the entitlements from all endpoints.

I am attaching the sav role permission details also.

How can we fix it?

indrahema95_0-1703075207152.pngindrahema95_1-1703075262043.pngindrahema95_2-1703075288200.pngindrahema95_3-1703075319592.png

indrahema95_4-1703075346144.png

 

Labels:
0 Kudos
8 REPLIES 8

Go to solution
SumathiSomala
All-Star
All-Star

‎12/20/2023 04:45 AM

@indrahema95 Does this Sav role user has access to the endpoints to view all entitlements in entitlements list page?

 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

0 Kudos

Go to solution
indrahema95
Regular Contributor
Regular Contributor
In response to SumathiSomala

‎12/20/2023 05:02 AM

Hi @SumathiSomala user don't have the access. 

Regards,

Indranil

0 Kudos

Go to solution
SumathiSomala
All-Star
All-Star
In response to indrahema95

‎12/20/2023 05:09 AM

@indrahema95 If the logged user is non admin user, then to view entitlements user should have access to the endpoint.

Add your custom sav role in Default SAV Role under connection.

Select your endpoint in Access to Endpoints under sav role.

SumathiSomala_0-1703077651324.png

 

 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

0 Kudos

Go to solution
pmahalle
All-Star
All-Star

‎12/20/2023 05:21 AM

Hi @indrahema95 ,

Add newly created custom SAV Role in the Default SAV Role field of the connection attached to the security system/endpoint of which entitlements are not visible and check once.

pmahalle_0-1703078450175.png

 


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂
0 Kudos

Go to solution
indrahema95
Regular Contributor
Regular Contributor

‎12/20/2023 05:29 AM

@pmahalle @SumathiSomala it is coming. So except role_admin any custom savrole newly created needs to be added in the connections manually then? Even for disconnected apps also right?

 

0 Kudos

Go to solution
pmahalle
All-Star
All-Star
In response to indrahema95

‎12/20/2023 05:32 AM

@indrahema95 , Yes for connected apps fir sure you need to add in the connection but for disconnected we will not have connections. So generally we can modify entitlements of disconnected apps using CSV upload as well.


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂
0 Kudos

Go to solution
SumathiSomala
All-Star
All-Star
In response to indrahema95

‎12/20/2023 05:34 AM - edited ‎12/20/2023 05:35 AM

@indrahema95 Yes 

For disconnected you can create one dummy connection attach this to security system.

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star

‎12/20/2023 10:37 AM

@indrahema95  

  • Below metadata is controlled based on connection level sav role
  • User having sav role and attached to connection will only see data for those application
  • Security System , Endpoint , Accounts and Entitlements metadata for applications are controlle by Connection - Default sav role configuration.

Refer : https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter09-SAV-Roles/Delegated-Admin... 

Use Case: Delegated Administration for Application Management

As an admin user, suppose you want to grant access to application owners to manage their own application data. Each user should be able to manage their applications only and any user should not modify entitlement metadata of any other user. For example, an application owner can manage the accounts, entitlements, endpoints, etc. belonging to an application that he owns.

Solution: Using EIC's delegated administration framework, you can restrict specific users to access only the required applications. This is configured by associating the SAV role of the users, connection, and security system.

Solution:

To configure delegated administration for entitlement management, you need to associate the security system with a connection. The connection, in turn, should be associated with the SAV role of the user. This SAV role is added as the default SAV role of the connection.

The configuration association of security system, connection, and SAV role ensures that from the Admin section of EIC, users belonging to this SAV role can view or manage only those identity repository objects (say, entitlements) that belong to the associated security system.

 

 

For example, if the default SAV role of an application owner is associated with a connection and security system, then this application owner can manage only those entitlements and accounts that belong to the associated security system. The access privileges of the application owners are then determined by the Request Map associated with the SAV role.

 

 

The delegated administration solution thus helps the application owners to exclusively view and modify the identity repository objects (for example, entitlements) that are associated with their SAV role.

However, there are some limitations to this model. There are no specific restrictions on the entitlements that an application owner can create, for example, if the SAV role associated with the application owner provides access privileges to create entitlements using a spreadsheet, then the application owner can create entitlements for other applications as well. Hence this model is recommended to be used only when the application owners want to manage their own entitlements for their applications and not for creating new entitlements.

Example Configuration for Delegating Application Management

This section provides an example related to the configuration of delegated administration of entitlements. This use case is about restricting application owners to manage only their own applications and related entitlements. An application owner is the resource owner who can be an individual user or user group who is primarily responsible for request approvals in workflows for the respective endpoint. With this configuration, the application owners are not allowed to modify the entitlement metadata of other application owners.

Adding Application Owners to the SAV Role

You can associate an application owner with a SAV role from the Users tab in a SAV role. This can be configured from Admin > SAV Roles > Users tab.

This SAV role is used as the default SAV role for the connection.

Note

For more information about configuring Users tab in a SAV role, see Users Tab in .

Associating the Default SAV Role for a Connection

In the required connection, you can associate the default SAV role in the field Default SAV Role as shown in the following figure.

 

 

Note

For more information about configuring connections, see Creating a Connection.

Associating a Connection with the Security System

From the Admin section of EIC, you can associate a connection with the required security system.

 

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC