Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Role based provision

Gopi
New Contributor III
New Contributor III

Hi team,

The use case is:

If the user has an AD account then only some roles(Privileged roles) must be provided to users.

Is there any option restricting users at the role level using some access query or other options?

Thanks,

Gopi.

3 REPLIES 3

rushikeshvartak
All-Star
All-Star

You can restrict same using dynamic attribute on request form.

 

Dynamic Attribute Name :- isPrivilegeAccess

Query :  select name,case when a.accountkey not in (select ae1.accountkey from account_entitlements1 ae1) then 'Privileged roles'' when a.accountkey in (select ae1.accountkey from account_entitlements1 ae1) then 'No Access to Privileged roles'' end as id
from accounts a where a.endpointkey=1 and a.status=1

Use above dynamic attribute in Entitlement Type Config for Requestable Entitlement in ARS

ev.status1 and  ev.customproperty=${isPrivilegeAccess}

 

Use some Privilege Entitlement Customproperty eg. Customproperty1 = 'Privileged roles'


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Gopi
New Contributor III
New Contributor III

Hi Rushikesh,

Could you please elaborate more on this like:

1. The flow where to start and where to end.

2. Use some Privilege Entitlement Customproperty eg. Customproperty1 = 'Privileged roles' (On this do I need to hardcode this at entitlement level).

3. So in this attribute Config for Requestable Entitlement in ARS do I need to put this value ev.status1 and ev.customproperty=${isPrivilegeAccess}?

4. Query: select name,case when a.accountkey not in (select ae1.accountkey from account_entitlements1 ae1) then 'Privileged roles'' when a.accountkey in (select ae1.accountkey from account_entitlements1 ae1) then 'No Access to Privileged roles'' end as id
from accounts a where a.endpointkey=1 and a.status=1. Where this query needs to be past.

Thanks,

Gopinath R.

Yes all correct steps


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.