We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Not all entitlements are visible under "Update Existing Entitlement"

indrahema95
Regular Contributor
Regular Contributor

Hi,

We have created a sav role through which users should perform create and update entitlements. Create entitlements showing all the information but if we go to the update existing entitlements it is not showing all the entitlements from all endpoints.

I am attaching the sav role permission details also.

How can we fix it?

indrahema95_0-1703075207152.pngindrahema95_1-1703075262043.pngindrahema95_2-1703075288200.pngindrahema95_3-1703075319592.png

indrahema95_4-1703075346144.png

 

8 REPLIES 8

SumathiSomala
All-Star
All-Star

@indrahema95 Does this Sav role user has access to the endpoints to view all entitlements in entitlements list page?

 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

Hi @SumathiSomala user don't have the access. 

Regards,

Indranil

@indrahema95 If the logged user is non admin user, then to view entitlements user should have access to the endpoint.

Add your custom sav role in Default SAV Role under connection.

Select your endpoint in Access to Endpoints under sav role.

SumathiSomala_0-1703077651324.png

 

 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

pmahalle
All-Star
All-Star

Hi @indrahema95 ,

Add newly created custom SAV Role in the Default SAV Role field of the connection attached to the security system/endpoint of which entitlements are not visible and check once.

pmahalle_0-1703078450175.png

 


Pandharinath Mahalle(Paddy)
If this reply answered your question, please Accept As Solution to help other who may have a same problem. Give Kudos 🙂

indrahema95
Regular Contributor
Regular Contributor

@pmahalle @SumathiSomala it is coming. So except role_admin any custom savrole newly created needs to be added in the connections manually then? Even for disconnected apps also right?

 

@indrahema95 , Yes for connected apps fir sure you need to add in the connection but for disconnected we will not have connections. So generally we can modify entitlements of disconnected apps using CSV upload as well.


Pandharinath Mahalle(Paddy)
If this reply answered your question, please Accept As Solution to help other who may have a same problem. Give Kudos 🙂

@indrahema95 Yes 

For disconnected you can create one dummy connection attach this to security system.

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

rushikeshvartak
All-Star
All-Star

@indrahema95  

  • Below metadata is controlled based on connection level sav role
  • User having sav role and attached to connection will only see data for those application
  • Security System , Endpoint , Accounts and Entitlements metadata for applications are controlle by Connection - Default sav role configuration.

Refer : https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter09-SAV-Roles/Delegated-Admin... 

Use Case: Delegated Administration for Application Management

As an admin user, suppose you want to grant access to application owners to manage their own application data. Each user should be able to manage their applications only and any user should not modify entitlement metadata of any other user. For example, an application owner can manage the accounts, entitlements, endpoints, etc. belonging to an application that he owns.

Solution: Using EIC's delegated administration framework, you can restrict specific users to access only the required applications. This is configured by associating the SAV role of the users, connection, and security system.

Solution:

To configure delegated administration for entitlement management, you need to associate the security system with a connection. The connection, in turn, should be associated with the SAV role of the user. This SAV role is added as the default SAV role of the connection.

The configuration association of security system, connection, and SAV role ensures that from the Admin section of EIC, users belonging to this SAV role can view or manage only those identity repository objects (say, entitlements) that belong to the associated security system.

 

 

For example, if the default SAV role of an application owner is associated with a connection and security system, then this application owner can manage only those entitlements and accounts that belong to the associated security system. The access privileges of the application owners are then determined by the Request Map associated with the SAV role.

 

 

The delegated administration solution thus helps the application owners to exclusively view and modify the identity repository objects (for example, entitlements) that are associated with their SAV role.

However, there are some limitations to this model. There are no specific restrictions on the entitlements that an application owner can create, for example, if the SAV role associated with the application owner provides access privileges to create entitlements using a spreadsheet, then the application owner can create entitlements for other applications as well. Hence this model is recommended to be used only when the application owners want to manage their own entitlements for their applications and not for creating new entitlements.

Example Configuration for Delegating Application Management

This section provides an example related to the configuration of delegated administration of entitlements. This use case is about restricting application owners to manage only their own applications and related entitlements. An application owner is the resource owner who can be an individual user or user group who is primarily responsible for request approvals in workflows for the respective endpoint. With this configuration, the application owners are not allowed to modify the entitlement metadata of other application owners.

Adding Application Owners to the SAV Role

You can associate an application owner with a SAV role from the Users tab in a SAV role. This can be configured from Admin > SAV Roles > Users tab.

This SAV role is used as the default SAV role for the connection.

Note

For more information about configuring Users tab in a SAV role, see Users Tab in .

Associating the Default SAV Role for a Connection

In the required connection, you can associate the default SAV role in the field Default SAV Role as shown in the following figure.

 

 

Note

For more information about configuring connections, see Creating a Connection.

Associating a Connection with the Security System

From the Admin section of EIC, you can associate a connection with the required security system.

 

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.