Saviynt Forums

Santosh · ‎05/21/2024

Hello, we are trying to implement RBAC, those applications that has entitlements were handled by assigning the particular enterprise role but got stuck provisioning account for those application without any entitlements. How can we include an account provisioning on the enterprise role, if there is any way?

End goal is to assign the enterprise role and have users granted access and accounts based on their assigned enterprise role.

rushikeshvartak · ‎05/21/2024

Does base account need additional inputs ?

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Santosh · ‎05/21/2024

It is either user have account or not have account case. So, no additional inputs, I guess.

rushikeshvartak · ‎05/21/2024

If no additional input required it will trigger new account task and process it.

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Santosh · ‎05/22/2024

My Apologies if I was not clear, for those application that doesn't have Entitlement Type and Entitlement_Value, I want them to be handled as well like their counterpart which were handled by enterprise role. For that I was seeking if we could use/ initiate provisioning task inside our existing enterprise role and list out all the endpoint that those users will get via enterprise role.

naveenss · ‎05/22/2024

Hi @Santosh using enterprise roles, the task for an endpoint will be created only if an entitlement from that endpoint is mapped.

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

Santosh · ‎05/22/2024

@naveenss Is there a way that I could map those endpoints that doesn't have Entitlement_Value to my existing enterprise role, so users can have account in them as well?

naveenss · ‎05/22/2024

I don't think that's possible.

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

Santosh · ‎05/22/2024

@naveenss @rushikeshvartak What would be the work around for it then? I was thinking of Application Role and making those child roles to enterprise role. But my initial test was not successful (I created Application role, selected endpoint--->Added user to it--->Ran provisioning task to that endpoint). Other one I was thinking was using Technical Rule but the no. of roles that need account on numerous endpoints scared me. My experience with other IGA tools I have used let me create Roles in a way that handled both Account provisioning + Account and Access provisioning. Anyways, I would like to hear any workaround for it.

NM · ‎05/22/2024

Hi @Santosh, you can create a dummy entitlement for those endpoint and add the same in enterprise role.. and auto complete the add access task.

Santosh · ‎05/22/2024

@NM I did upload the enterprise role using a template. So, what you mean is without actually creating an entitlement on target application, I could create "XYZ" Entitlement_Value and reupload the template? I have a template attached, please let me know, if that is what you are suggesting.

NM · ‎05/22/2024

The endpoint for which you are trying to provision only role, you can create an entitlement doesn't have to match the target entitlement just a dummy value and then that same you can add under "entitlement" tab of role.

Once user request for it a new account task will be created

Santosh · ‎05/22/2024

@NM Does this template justify what you meant by? (Also, I have added Screenshot on my previous reply)

[This post has been edited by a Moderator to try to make the image more visible.]

NM · ‎05/22/2024

@Santosh, do you have entitlement value with entitlement type role present under the endpoint which h you want to add in enterprise role?

Santosh · ‎05/22/2024

@NM No, I just made up. If they had one, it would be no issue at all for provisioning, that's why I wanted to validate the above template.

NM · ‎05/22/2024

Hi @Santosh , yes dummy works ..

Santosh · ‎05/22/2024

@NM Thank you for clarifying that I will proceed with getting approval for that. Appreciated!

NM · ‎05/22/2024

@Santosh , do give it a try first in lower environment

Santosh · ‎05/22/2024

@NM That is the plan.

rushikeshvartak · ‎05/22/2024

Can you explain what is this application without any accounts ? Dummy entitlement will resolve the issue but trying to understand business use case we are trying to fix with Enterprise role

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Santosh · ‎05/23/2024

@rushikeshvartak We are new implementor of Saviynt, have around 50 endpoints (connected +disconnected) where users have accounts but there is no entitlements/group/access profile that they get. It is either you have an account or don't. That was causing issue as we are trying to implement RBAC via Enterprise roles (roles only provisioned account on those endpoints with entitlement). That is why I was looking for a workaround and was to test this theory of creating dummy entitlements on Saviynt (not target apps) and assign that entitlement to our existing Enterprise roles and assign that role to users and expect them to have account provisioned on all endpoints that the enterprise role is composed of.

rushikeshvartak · ‎05/23/2024

You can use dummy entitlements but this is not best practices. You can perform POC on same. but if they need access then they should raised by ARS Application request form since no entitlements. Instead of creating junk dummy entitlements

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Saviynt Forums

RBAC implementation via enterprise roles.