Read-Only Admin SAV Role - Baseline Application

New Contributor
New Contributor

Hi All,

We are trying to implement a Read-Only Admin role for our team to use and noticed during testing that with the role, the option to "Baseline Application" is still available under Endpoints.


Does anyone know how to disable this option or if it has any real effect on configurations?




Even if you click on it, It shows Job started but baseline task is not created hence there is no issue.

Baseline Application used for finding Out of the band access added directly in target without saviynt request


Baselining of an application is the process of identifying rogue accounts or accesses, and taking measures for onboarding them accordingly.
Rogue accounts or accesses are created, updated, or managed outside the Saviynt environment, directly in the target application. Recognizing and reviewing these rogue accesses becomes highly important, as they are created on the target application directly and may pose a security risk. Therefore, having a baseline for comparison reduces the overhead of manually searching for out-of-band accesses.

A baselining operation is performed by default for every application that is imported within Saviynt. You can also baseline an application manually by clicking Baseline Application for an endpoint by navigating to Admin > Security System > Endpoints.

Saviynt also provides a Re-Baseline Application option that reviews any incremental changes within the application, due to which there could be a new set of rogue accesses. As the name suggests, re-baselining can be performed for applications that have already been baselined before.
A routine scenario where re-baselining applications becomes paramount is during mergers and acquisitions. In these situations, there could be a huge influx of new accounts and accesses to already baselined applications, and therefore these are marked as ‘rogue’. Re-baselining identifies these new ‘rogue’ accounts or accesses and maps them accordingly.

Video: Enhanced Application Baselining

For re-baselining an already baselined application, click the Re-Baseline Application option for an endpoint by navigating to Admin > Security System > Endpoints.

For re-baselining an already baselined application, perform the following steps:

  1. Go to Admin > Security System > Endpoints and click the Re-Baseline Application option for an endpoint.

  2. Re-Baseline Application provides you with the below retrofitting options:

    1. Do you want to repair Role User Mapping?
      Enabling this option allows you to repair the role-user mappings for the application. For more information on repairing role user mappings, see Repairing Role Mappings.

    2. Do you want to repair Rule User Mapping?
      Enabling this option allows you to repair the rule-user mappings for the application. For more information on repairing rule user mappings, see Repairing Rule-User Mappings.

      The Rule User Mapping option is available only when the Enable rule retrofit (repair rule to user mappings) setting is enabled from Admin > Global Configuration > Rules > Settings. For more information, see Configuring Rules.

  3. Enable one of the above options as per your requirement, and click Start.
    The baselining process is initiated.

The role-user and rule user repair options have been included in Re-Baselining to ensure that all entitlements are removed for users when they are no longer part of a role or they do not match the rule conditions. They help in scenarios such as a faulty import interrupting the role to user or rule to user relationships.

The ‘i' icon next to the Baseline Application or Re-Baseline Application option displays details such as the generated ‘arstaskkey’, the user who initiated the baseline application process, the date, and the number of accounts and entitlements that are baselined. For more information about 'arstaskkey’, see the Accounts Table in the Saviynt Security Manager Schema Guide.

SSM also provides an out-of-band access detection functionality that detects and revokes accesses that are assigned by the target system. Based on the baseline or re-baseline results, you can choose the DeprovisionAccess or Deprovision Access and Re-create Access Request option from Action for Out of Band Access Detection for the rogue accounts or accesses found. To know more, see Configuring the detection of out-of-band access for endpoints in the Knowledge Base Articles. 

Rushikesh Vartak
If the response is helpful, please click Accept As Solution and kudos it.