01/17/2023 10:52 AM
Hi Team,
How do we stop users from being able to submit a request if they are running into an SOD violation?
Also how do we configure SOD where users from some department cannot raise request for some entitlements. Currently looks like only SOD options are around conflicting entitlements, user attributes cannot be used in the SOD?
Solved! Go to Solution.
01/17/2023 11:28 AM
How do we stop users from being able to submit a request if they are running into an SOD violation?
- I don't think we have option to stop the user from submitting the request if the request contains SOD. But, we can configure add access workflow in such a way that if the request contains SOD, their access request is auto rejected. In if else block on the workflow, this condition can be put - SOD gt 0 which means if true, then SOD violation exist and connect it to reject block and if false, SOD violation doesn't exist and connect it to the necessary approval blocks as per the requirement.
https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components
Also how do we configure SOD where users from some department cannot raise request for some entitlements. Currently looks like only SOD options are around conflicting entitlements, user attributes cannot be used in the SOD?
-You don't need to use SOD in this case, you can configure department restriction for an entitlement through dynamic attributes and manipulate the entitlement type Config for Requestable Entitlement in ARS as per the department restrictions needed. This will ensure certain department users won't be able to see the entitlements they are not allowed to request on the first place.
Example: Let's say entitlement A is not allowed to be requested by department Sales. You can update Sales in some customproperty of entitlement A and update the Config for Requestable Entitlement in ARS to below -
ev.customproperty18 is null or ev.customproperty18!='${UserDepartment}'
UserDepartment is a single select dynamic attribute from SQL query - Select DepartmentName as ID from users where userkey='${requestee}'
https://saviynt.freshdesk.com/support/solutions/articles/43000431385-creating-an-entitlement-type
-Siva
01/17/2023 11:38 AM
#1 - You can't stop user from requesting access but below are options
you can't create department as entitlement value (not best practices)
but here you can configure workflow and mention condition and auto reject using workflow