This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Requestable Entitlements for Non-Requestable Endpoint

varunpuri
Regular Contributor
Regular Contributor

‎09/26/2023 04:56 AM

Hi,

We have an endpoint for Active Directory which is non-requestable. It has around 1.5K entitlements (AD Groups) which are grouped into various roles within Saviynt and these roles are given at the time of birthright provisioning. 

Now, the customer has a requirement that a few of these AD Groups also need to be made requestable but the Active Directory endpoint will remain non-requestable.

If we make the REQUEST-OPTION under Entitlement Type for Active Directory endpoint as Table, then will the entitlements start appearing in ARS ?
If Yes, then Is it possible to selectively make some of the entitlements only as requestable ?

Kindly suggest the best possible approach for this requirement.

Best Regards,
Varun

Labels:
0 Kudos
9 REPLIES 9

Manu269
All-Star
All-Star

‎09/26/2023 05:00 AM

Hello @varunpuri ,

I think there is some gap.

If the endpoint is itself made non requestable how are you going to allow users to request entitlements?

The entitlement part comes next , before that you need to select the EP.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.
0 Kudos

varunpuri
Regular Contributor
Regular Contributor
In response to Manu269

‎09/26/2023 05:07 AM

Thank You, @Manu269 for your response.

Can you please help with some alternative approach.

1. Is it possible to create a child endpoint within Active Directory and only associate those limited set of entitlements within this child endpoint ?

2. If a user places request for some entitlement within the child endpoint, then the New Account task of that child endpoint will also get created ? even though the user already has account on the Parent endpoint.

Best Regards,
Varun

0 Kudos

Sivagami
All-Star
All-Star
In response to varunpuri

‎09/26/2023 12:08 PM

There are 2 options here.

1) You can make AD endpoint requestable and add access query in the endpoint in a such a way that users having account in AD already only can request the application. This way you avoid people placing new requests for AD account creation. Within the application you can display the limited set of groups that needs to be requestable. You can achieve it via entitlementtype page - requestable entitlements config & Selected entitlements config -> You can put something like ev.customproperty1='REQUESTABLE'. The AD groups that needs to be made requestable needs to have their customproperty1 set as REQUESTABLE.

2) Add the subset of groups that needs to be made requestable in the endpoint filter and make the child endpoint requestable.

-Siva

0 Kudos

varunpuri
Regular Contributor
Regular Contributor
In response to Sivagami

‎09/26/2023 10:30 PM

Hello @Sivagami , Thank You for your response.

If we go ahead with the 2nd option and consider the following scenario :

1. User got parent AD application as birthright. (through technical rule)
2. User now places an access request for a few other requestable groups using ARS.

Will Saviynt also generate a New Account task for the Child Endpoint along with the Add Access tasks for the requested groups ? 

Best Regards,
Varun

0 Kudos

Sivagami
All-Star
All-Star
In response to varunpuri

‎09/27/2023 04:37 AM

Yes it does. But the New account task is basically dummy. It doesn't try to create the account again in target AD. Internally, the parent AD account is mapped to this new endpoint account.

-Siva

0 Kudos

varunpuri
Regular Contributor
Regular Contributor
In response to Sivagami

‎09/27/2023 04:55 AM

@Sivagami - So, this dummy task will get completed when the WSRETRY runs or will get errored out because the user already has account in AD ?

Best Regards,
Varun

0 Kudos

varunpuri
Regular Contributor
Regular Contributor
In response to Sivagami

‎09/27/2023 06:49 AM - edited ‎09/27/2023 06:49 AM

@Sivagami - I made one endpoint as the child endpoint of Active Directory using the Endpoints_Filter attribute at the connection object level. The child endpoint got created and few accounts and entitlements also got reconciled back. 

But when I went ahead into ARS to place an access request for groups within this requestable child endpoint, then it prompts to create an account first on this application. Is it possible to request only the groups ?

Second question - Even if New Account task gets generated for this new child endpoint, will it get cleared or errored out ?

varunpuri_0-1695822581993.png

 

Best Regards,
Varun

0 Kudos

Sivagami
All-Star
All-Star
In response to varunpuri

‎09/27/2023 07:26 AM

It's just the tool wording. Even though it says Request New Account, it doesn't create a account again. Consider this child endpoints as a logically grouping. 

When new account tasks get created they go through without error. Make sure for the child endpoint, entitlement type selection is mandatory so the user can't submit the request without adding groups to their request.

-Siva

0 Kudos

Manu269
All-Star
All-Star

‎09/26/2023 05:11 AM

The other option what i can think of is you can create a separate EP, SS and Connection and fetch the limited groups and allow only that EP to be requested with limited entitlements.

Again, this may not be best approach.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.
0 Kudos
Copyright © 2023 Khoros, LLC