Click HERE to see how Saviynt Intelligence is transforming the industry. |
12/20/2023 04:29 AM
Hi,
We have created a sav role through which users should perform create and update entitlements. Create entitlements showing all the information but if we go to the update existing entitlements it is not showing all the entitlements from all endpoints.
I am attaching the sav role permission details also.
How can we fix it?
Solved! Go to Solution.
12/20/2023 04:45 AM
@indrahema95 Does this Sav role user has access to the endpoints to view all entitlements in entitlements list page?
12/20/2023 05:02 AM
12/20/2023 05:09 AM
@indrahema95 If the logged user is non admin user, then to view entitlements user should have access to the endpoint.
Add your custom sav role in Default SAV Role under connection.
Select your endpoint in Access to Endpoints under sav role.
12/20/2023 05:21 AM
Hi @indrahema95 ,
Add newly created custom SAV Role in the Default SAV Role field of the connection attached to the security system/endpoint of which entitlements are not visible and check once.
12/20/2023 05:29 AM
@pmahalle @SumathiSomala it is coming. So except role_admin any custom savrole newly created needs to be added in the connections manually then? Even for disconnected apps also right?
12/20/2023 05:32 AM
@indrahema95 , Yes for connected apps fir sure you need to add in the connection but for disconnected we will not have connections. So generally we can modify entitlements of disconnected apps using CSV upload as well.
12/20/2023 05:34 AM - edited 12/20/2023 05:35 AM
@indrahema95 Yes
For disconnected you can create one dummy connection attach this to security system.
12/20/2023 10:37 AM
As an admin user, suppose you want to grant access to application owners to manage their own application data. Each user should be able to manage their applications only and any user should not modify entitlement metadata of any other user. For example, an application owner can manage the accounts, entitlements, endpoints, etc. belonging to an application that he owns.
Solution: Using EIC's delegated administration framework, you can restrict specific users to access only the required applications. This is configured by associating the SAV role of the users, connection, and security system.
Solution:
To configure delegated administration for entitlement management, you need to associate the security system with a connection. The connection, in turn, should be associated with the SAV role of the user. This SAV role is added as the default SAV role of the connection.
The configuration association of security system, connection, and SAV role ensures that from the Admin section of EIC, users belonging to this SAV role can view or manage only those identity repository objects (say, entitlements) that belong to the associated security system.
For example, if the default SAV role of an application owner is associated with a connection and security system, then this application owner can manage only those entitlements and accounts that belong to the associated security system. The access privileges of the application owners are then determined by the Request Map associated with the SAV role.
The delegated administration solution thus helps the application owners to exclusively view and modify the identity repository objects (for example, entitlements) that are associated with their SAV role.
However, there are some limitations to this model. There are no specific restrictions on the entitlements that an application owner can create, for example, if the SAV role associated with the application owner provides access privileges to create entitlements using a spreadsheet, then the application owner can create entitlements for other applications as well. Hence this model is recommended to be used only when the application owners want to manage their own entitlements for their applications and not for creating new entitlements.
This section provides an example related to the configuration of delegated administration of entitlements. This use case is about restricting application owners to manage only their own applications and related entitlements. An application owner is the resource owner who can be an individual user or user group who is primarily responsible for request approvals in workflows for the respective endpoint. With this configuration, the application owners are not allowed to modify the entitlement metadata of other application owners.
You can associate an application owner with a SAV role from the Users tab in a SAV role. This can be configured from Admin > SAV Roles > Users tab.
This SAV role is used as the default SAV role for the connection.
For more information about configuring Users tab in a SAV role, see Users Tab in .
In the required connection, you can associate the default SAV role in the field Default SAV Role as shown in the following figure.
For more information about configuring connections, see Creating a Connection.
From the Admin section of EIC, you can associate a connection with the required security system.