We have an endpoint for Active Directory which is non-requestable. It has around 1.5K entitlements (AD Groups) which are grouped into various roles within Saviynt and these roles are given at the time of birthright provisioning.
Now, the customer has a requirement that a few of these AD Groups also need to be made requestable but the Active Directory endpoint will remain non-requestable.
If we make the REQUEST-OPTION under Entitlement Type for Active Directory endpoint as Table, then will the entitlements start appearing in ARS ?
If Yes, then Is it possible to selectively make some of the entitlements only as requestable ?
Kindly suggest the best possible approach for this requirement.
Hello @varunpuri ,
I think there is some gap.
If the endpoint is itself made non requestable how are you going to allow users to request entitlements?
The entitlement part comes next , before that you need to select the EP.
Thank You, @Manu269 for your response.
Can you please help with some alternative approach.
1. Is it possible to create a child endpoint within Active Directory and only associate those limited set of entitlements within this child endpoint ?
2. If a user places request for some entitlement within the child endpoint, then the New Account task of that child endpoint will also get created ? even though the user already has account on the Parent endpoint.
There are 2 options here.
1) You can make AD endpoint requestable and add access query in the endpoint in a such a way that users having account in AD already only can request the application. This way you avoid people placing new requests for AD account creation. Within the application you can display the limited set of groups that needs to be requestable. You can achieve it via entitlementtype page - requestable entitlements config & Selected entitlements config -> You can put something like ev.customproperty1='REQUESTABLE'. The AD groups that needs to be made requestable needs to have their customproperty1 set as REQUESTABLE.
2) Add the subset of groups that needs to be made requestable in the endpoint filter and make the child endpoint requestable.
Hello @Sivagami , Thank You for your response.
If we go ahead with the 2nd option and consider the following scenario :
1. User got parent AD application as birthright. (through technical rule)
2. User now places an access request for a few other requestable groups using ARS.
Will Saviynt also generate a New Account task for the Child Endpoint along with the Add Access tasks for the requested groups ?
@Sivagami - I made one endpoint as the child endpoint of Active Directory using the Endpoints_Filter attribute at the connection object level. The child endpoint got created and few accounts and entitlements also got reconciled back.
But when I went ahead into ARS to place an access request for groups within this requestable child endpoint, then it prompts to create an account first on this application. Is it possible to request only the groups ?
Second question - Even if New Account task gets generated for this new child endpoint, will it get cleared or errored out ?
It's just the tool wording. Even though it says Request New Account, it doesn't create a account again. Consider this child endpoints as a logically grouping.
When new account tasks get created they go through without error. Make sure for the child endpoint, entitlement type selection is mandatory so the user can't submit the request without adding groups to their request.
The other option what i can think of is you can create a separate EP, SS and Connection and fetch the limited groups and allow only that EP to be requested with limited entitlements.
Again, this may not be best approach.