We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Preventive SOD Violations, prevent user from raising request

SarthakChawla
New Contributor III
New Contributor III

Hi Team,

How do we stop users from being able to submit a request if they are running into an SOD violation? 

Also how do we configure SOD where users from some department cannot raise request for some entitlements. Currently looks like only SOD options are around conflicting entitlements, user attributes cannot be used in the SOD?

2 REPLIES 2

Sivagami
Valued Contributor
Valued Contributor

How do we stop users from being able to submit a request if they are running into an SOD violation? 

- I don't think we have option to stop the user from submitting the request if the request contains SOD. But, we can configure add access workflow in such a way that if the request contains SOD, their access request is auto rejected. In if else block on the workflow, this condition can be put - SOD gt 0 which means if true, then SOD violation exist and connect it to reject block and if false, SOD violation doesn't exist and connect it to the necessary approval blocks as per the requirement.

https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components 

Also how do we configure SOD where users from some department cannot raise request for some entitlements. Currently looks like only SOD options are around conflicting entitlements, user attributes cannot be used in the SOD?

-You don't need to use SOD in this case, you can configure department restriction for an entitlement through dynamic attributes and manipulate the entitlement type Config for Requestable Entitlement in ARS as per the department restrictions needed. This will ensure certain department users won't be able to see the entitlements they are not allowed to request on the first place.

Example: Let's say entitlement A is not allowed to be requested by department Sales. You can update Sales in some customproperty of entitlement A and update the Config for Requestable Entitlement in ARS to below - 

ev.customproperty18 is null or ev.customproperty18!='${UserDepartment}'

UserDepartment is a single select dynamic attribute from SQL query Select DepartmentName as ID from users where userkey='${requestee}'

https://saviynt.freshdesk.com/support/solutions/articles/43000431385-creating-an-entitlement-type 

-Siva

rushikeshvartak
All-Star
All-Star

#1 - You can't stop user from requesting access but below are options

  • Auto Reject Request with if else block sod gt 0
  • Send approval to User Group
  • Send approval to sod owner 

you can't create department as entitlement value (not best practices)

but here you can configure workflow and mention condition and auto reject using workflow


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.