We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Requestable Entitlements for Non-Requestable Endpoint

varunpuri
Regular Contributor
Regular Contributor

Hi,

We have an endpoint for Active Directory which is non-requestable. It has around 1.5K entitlements (AD Groups) which are grouped into various roles within Saviynt and these roles are given at the time of birthright provisioning. 

Now, the customer has a requirement that a few of these AD Groups also need to be made requestable but the Active Directory endpoint will remain non-requestable.

If we make the REQUEST-OPTION under Entitlement Type for Active Directory endpoint as Table, then will the entitlements start appearing in ARS ?
If Yes, then Is it possible to selectively make some of the entitlements only as requestable ?

Kindly suggest the best possible approach for this requirement.

Best Regards,
Varun

9 REPLIES 9

Manu269
All-Star
All-Star

Hello @varunpuri ,

I think there is some gap.

If the endpoint is itself made non requestable how are you going to allow users to request entitlements?

The entitlement part comes next , before that you need to select the EP.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

varunpuri
Regular Contributor
Regular Contributor

Thank You, @Manu269 for your response.

Can you please help with some alternative approach.

1. Is it possible to create a child endpoint within Active Directory and only associate those limited set of entitlements within this child endpoint ?

2. If a user places request for some entitlement within the child endpoint, then the New Account task of that child endpoint will also get created ? even though the user already has account on the Parent endpoint.

Best Regards,
Varun

Sivagami
Valued Contributor
Valued Contributor

There are 2 options here.

1) You can make AD endpoint requestable and add access query in the endpoint in a such a way that users having account in AD already only can request the application. This way you avoid people placing new requests for AD account creation. Within the application you can display the limited set of groups that needs to be requestable. You can achieve it via entitlementtype page - requestable entitlements config & Selected entitlements config -> You can put something like ev.customproperty1='REQUESTABLE'. The AD groups that needs to be made requestable needs to have their customproperty1 set as REQUESTABLE.

2) Add the subset of groups that needs to be made requestable in the endpoint filter and make the child endpoint requestable.

-Siva

varunpuri
Regular Contributor
Regular Contributor

Hello @Sivagami , Thank You for your response.

If we go ahead with the 2nd option and consider the following scenario :

1. User got parent AD application as birthright. (through technical rule)
2. User now places an access request for a few other requestable groups using ARS.

Will Saviynt also generate a New Account task for the Child Endpoint along with the Add Access tasks for the requested groups ? 

Best Regards,
Varun

Sivagami
Valued Contributor
Valued Contributor

Yes it does. But the New account task is basically dummy. It doesn't try to create the account again in target AD. Internally, the parent AD account is mapped to this new endpoint account.

-Siva

varunpuri
Regular Contributor
Regular Contributor

@Sivagami - So, this dummy task will get completed when the WSRETRY runs or will get errored out because the user already has account in AD ?

Best Regards,
Varun

varunpuri
Regular Contributor
Regular Contributor

@Sivagami - I made one endpoint as the child endpoint of Active Directory using the Endpoints_Filter attribute at the connection object level. The child endpoint got created and few accounts and entitlements also got reconciled back. 

But when I went ahead into ARS to place an access request for groups within this requestable child endpoint, then it prompts to create an account first on this application. Is it possible to request only the groups ?

Second question - Even if New Account task gets generated for this new child endpoint, will it get cleared or errored out ?

varunpuri_0-1695822581993.png

 

Best Regards,
Varun

Sivagami
Valued Contributor
Valued Contributor

It's just the tool wording. Even though it says Request New Account, it doesn't create a account again. Consider this child endpoints as a logically grouping. 

When new account tasks get created they go through without error. Make sure for the child endpoint, entitlement type selection is mandatory so the user can't submit the request without adding groups to their request.

-Siva

Manu269
All-Star
All-Star

The other option what i can think of is you can create a separate EP, SS and Connection and fetch the limited groups and allow only that EP to be requested with limited entitlements.

Again, this may not be best approach.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.