Saviynt Forums

Gopi · ‎10-25-2022

Hi team,

The use case is:

If the user has an AD account then only some roles(Privileged roles) must be provided to users.

Is there any option restricting users at the role level using some access query or other options?

Thanks,

Gopi.

rushikeshvartak · ‎10-25-2022

You can restrict same using dynamic attribute on request form.

Dynamic Attribute Name :- isPrivilegeAccess

Query : select name,case when a.accountkey not in (select ae1.accountkey from account_entitlements1 ae1) then 'Privileged roles'' when a.accountkey in (select ae1.accountkey from account_entitlements1 ae1) then 'No Access to Privileged roles'' end as id
from accounts a where a.endpointkey=1 and a.status=1

Use above dynamic attribute in Entitlement Type Config for Requestable Entitlement in ARS

ev.status1 and ev.customproperty=${isPrivilegeAccess}

Use some Privilege Entitlement Customproperty eg. Customproperty1 = 'Privileged roles'

Regards,

Rushikesh Vartak

Gopi · ‎11-25-2022

Hi Rushikesh,

Could you please elaborate more on this like:

1. The flow where to start and where to end.

2. Use some Privilege Entitlement Customproperty eg. Customproperty1 = 'Privileged roles' (On this do I need to hardcode this at entitlement level).

3. So in this attribute Config for Requestable Entitlement in ARS do I need to put this value ev.status1 and ev.customproperty=${isPrivilegeAccess}?

4. Query: select name,case when a.accountkey not in (select ae1.accountkey from account_entitlements1 ae1) then 'Privileged roles'' when a.accountkey in (select ae1.accountkey from account_entitlements1 ae1) then 'No Access to Privileged roles'' end as id
from accounts a where a.endpointkey=1 and a.status=1. Where this query needs to be past.

Thanks,

Gopinath R.

rushikeshvartak · ‎11-25-2022

Yes all correct steps

Regards,

Rushikesh Vartak

Saviynt Forums

Role based provision