Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Roles and Entitelments assigment

userNM
New Contributor III
New Contributor III

‎04/29/2024 07:24 AM

Hello,

is it possible to assign the entitlement to the account (user) based on user.customproperties?In AD?

For example where user.customproperty1 = 'x' and user.customproperty2 = 'y' and

AD Entitlements = 'CN= 'xy.....' then this entitlement is assigned to an account of a user. 

because each user has a unique AD Entitlement.

Thank you!

 

 

Labels:
0 Kudos
10 REPLIES 10

Raghu
All-Star
All-Star

‎04/29/2024 11:00 AM - last edited on ‎04/30/2024 02:16 AM by Community Manager

@userNM  yes based actionable analytics report:

Create Anlaytic Report based on your criteria and pass group entiltment_valuekey and create RunAllAnalyticsJob  under job:

select distinct a.accountkey AS 'acctKey', '12313' AS 'entvaluekey', u.enddate AS 'Termination Date', a.accountid, a.name as accName, u.userkey as 'userKey', u.username AS 'GUID', u.FIRSTNAME, u.LASTNAME, u.EMAIL AS USER_EMAIL, SYSDATE() AS RUNTIME, 'provisionaccess' as 'Default_Action_For_Analytics' from users u, user_accounts ua, accounts a, account_entitlements1 ae where a.status in ('ACTIVE','Manually Provisioned','1') and u.userkey = ua.userkey and ua.accountkey = a.accountkey and a.accountkey=ae.accountkey and a.endpointkey=5 and u.customproperty1='x' and u.customproperty1='y'

 

Refrence :

https://forums.saviynt.com/t5/identity-governance/access-provisioning-aad-groups-through-actionable-...

[This message has been edited by moderator to remove URL hyperlink]


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

rushikeshvartak
All-Star
All-Star

‎04/29/2024 11:49 AM

You can use technical and user update rule to assign AD Groups dynamically

Refer https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter05-Policies/Creating-Technic...


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

dgandhi
All-Star
All-Star

‎04/29/2024 11:58 AM

Can be assigned via Technical rule, below example:

Scenario 2: Provisioning Access (Entitlements) based on Dynamic Values

This scenario provides details of provisioning access (entitlement values) to a user for entitlement values belonging to a particular entitlement type and an endpoint when it matches the condition specified using the dynamic user attributes. For example, let’s assume that there are entitlement values such as: CN=HR,OU=AD (entitlementvalue1 value), CN=Finance,OU=AD (entitlementvalue2 value), and CN=Engineering,OU=AD (entitlementvalue3 value) belonging to an endpoint 'ADTest' and associated to an entitlement type 'Groups'. The departments available in the system are: HR, Finance, and Engineering, which are assigned to a user. There is already an existing Endpoint named 'ADTest' and an entitlement type 'Groups' with above-mentioned entitlement values available.

Using this technical rule, you can assign the entitlement value to the user account for the respective department to which the user belongs, when a user is created or updated in EIC. To achieve this, define the following parameters in the technical rule:

  • Object Type: Specify ENDPOINT::ENTITLEMENTTYPE from which you want to assign the entitlement to the user.

  • Object: specify the CN=${user.departmentname},OU=AD custom query.

  • Attribute: Select Assign.

The critical parameter Object checks dynamic values of user's departmentname (using the user.departmentname) such as HR, Finance, and Engineering to which user belongs and accordingly assigns the respective entitlement for the particular department. For example, when a user joins the HR department then based on the query, the entitlementvalue1 value CN=HR,OU=AD is assigned to the user for Groups entitlement type and ADTest endpoint. Once the tasks are created and are completed for all the entitlements, the respective entitlements are provisioned to the user account.

dgandhi_2-1714417067239.png

 

 

 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

0 Kudos

userNM
New Contributor III
New Contributor III
In response to dgandhi

‎04/30/2024 01:40 AM - edited ‎04/30/2024 06:35 AM

thank you very much! and also @Raghu  and @rushikeshvartak  !

But the thing is that roles are like CN = role_user.customproperty1_user.customproperty2, OU=AD

so kinda of a combination, not sure if from the syntax I can write smth like this

CN = ${%user.customproperty1%} "_"${%user.customproperty2%}, OU=AD

And @Raghu do you think if the entitlements are already there, we can link it with accounts via analytics?

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to userNM

‎04/30/2024 09:17 PM

You can use 

CN = ${%user.customproperty1%} "_"${%user.customproperty2%}, OU=AD


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Raghu
All-Star
All-Star
In response to userNM

‎05/01/2024 01:34 AM

@userNM  yes any we passing endpointkey account level it will  and u can try above syntax it work


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

userNM
New Contributor III
New Contributor III
In response to Raghu

‎05/02/2024 01:25 AM

thank you! In the reference link which you sent to me

https://forums.saviynt.com/t5/identity-governance/access-provisioning-aad-groups-through-actionable-...

they use Enable Default Action for Analytics and then it is provisioned automatically, but in our case, in the newest version in Saviynt there is no such a Job type 'Run all Analytics-v2 (ANALYTICSESJOB)', do you know if in the newest version it is still exists?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to userNM

‎05/02/2024 09:16 PM

Yes exists

rushikeshvartak_0-1714709691833.png

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

userNM
New Contributor III
New Contributor III
In response to Raghu

‎05/22/2024 12:42 AM

hi @Raghu we made analytics and it worked as you described. The Problem is it shows that the task is successfully completed, but in the user account, there is no entitlements assigned...

user228_0-1716363603246.pnguser228_1-1716363640345.png

so, we do not understand where there is an error and how we can fix it... because the entitlement should be assigned...

Thanks!

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to userNM

‎05/22/2024 10:16 PM

Do you see entry in account_entitlements1 table fr account ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC