Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

SAV Role best practice

Murmur
Regular Contributor III
Regular Contributor III

Hi everyone, 

I've been having trouble with my SAV Roles, particularly when it comes to assigning multiple roles to a user. 

When I set up a SAV Role I understand, that I can use the For whom can the user setup delegate  to limit the scope of Parent User in the Create Delegate view 

Murmur_0-1718349738758.png

Setup

I have 2 SAV Roles. SAV_1_Basic and SAV_2_Delegation.
 
SAV_1_Basic (screenshots below) works perfectly on its own. It grants users basic Saviynt access, such as the use of Create and Update User Requests.
SAV_1_Query (For whom can the user setup delegate): Tried the following two 
ALL          
empty string
SAV_2_Delegation (screenshots below) works exactly as I would expect. It allows the User to set Delegates for itself + direct subordinates.

SAV_2_Query (For whom can the user setup delegate):

select a from Users a where (a.id=${users?.id} or a.manager=${users?.id})

 

Expected Behavior

When the User has assigned either role, everything works fine. When a User has both Roles assigned, I would expect it to be able to use everything specified in SAV_1_Basic as well as setting up delegates for itself via SAV_2_Delegate. 

Issue

The issue arises, when a User has both Roles assigned.
If SAV_1_Query is set to ALL:
Then the User is able to select a Parent User from all Users in our system and is able to set up delegation for them.
If SAV_1_Query is set to an empty string: 
Then the parent selection uses the correct scope, but you get an access denied error, as soon as the Delegation is about to be created.
 
While this is only one of a dozen of use-cases of SAV Roles, I feel, taht this might get an issue at many configurations. 

Question

How to you approach this topic? It seems impossible to me to have a good SAV Role structure, when they interfere with each other - which shouldn't be the case by definition, as it defeats the purpose of roles.
 
Cheers 🙂
 
 

Screenshots

SAV_1_Basic:

Murmur_3-1718350336364.png

SAV_2_Delegate:

Murmur_4-1718350373194.png

 


 

2 REPLIES 2

rushikeshvartak
All-Star
All-Star

instead of all try 

select a from Users a 

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Murmur
Regular Contributor III
Regular Contributor III

Hi @rushikeshvartak - that is basically the same as ALL and leads to the exact same issue as above: 

If SAV_1_Query is set to ALL:
Then the User is able to select a Parent User from all Users in our system and is able to set up delegation for them.