Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Reference User for birthright access

rituparna_pwc
Regular Contributor
Regular Contributor

Hello,

 

We have a use case where Managers select a reference User's ID in HR system to assign similar access to new joiner, the reference user detail flows down from HR to Saviynt in a Customproperty. Is there any way to achieve in Saviynt to be able to implement and copy the exact enterprise roles that reference user has to the new joiner?

4 REPLIES 4

adriencosson
Valued Contributor
Valued Contributor

Hi @rituparna_pwc ,

Supposing that :

  • You are retrieving this reference ID in the user's customproperty1 (e.g ID1234),
  • You have an Enterprise role named :"Role_Name_ID1234"

You can create a Technical Rule that will assign the user's the roles with the name Role_Name_${user.customproperty1}

The screenshot below indicates to assign this role if the user is Active and has a Custom Property 1.

adriencosson_0-1693320911249.png

Hope this helps !

Regards,
Adrien COSSON

Hello Adrien,

 

Thanks for this, but it would not be feasible for us as there could be 10000 employee and anyone can be picked as reference user. We would need to then create that many Roles.

Nevertheless this role name with dynamic value is a great thing I came to know .

adriencosson
Valued Contributor
Valued Contributor

Hi @rituparna_pwc ,

Good to know.

Note that having 1 business role per declared identity is definitely not a good practice as it shows that "everyone is specific" and the goal of assigning Enterprise Roles through Technical Rule as birthright access is to define business patterns that will ease providing access to similar employees within your organization.

If my understanding is correct, you want to assign similar access than your "reference user" to the identity that will be created.

As this might present operational risk - if the reference user is somehow has high privileges access, you can still leverage two things :

  • When identity is created, send an email notification to the person in charge to perform access requests in Saviynt for this identity, with the Reference user (as user's custom properties are available)
  • Enable the "Copy Access" at Endpoint level, that will help requestors to copy the access of the reference user for the requested identity.  Even if these are manual requests, I believe this would reduce risks related to providing the same access as someone automatically, without any control.

Hope this helps.

If this answers to your concern, you can mark it as "Accept as Solution" to help the community find the appropriate content.

Regards,
Adrien COSSON