Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAV Role best practice

Murmur
Regular Contributor III
Regular Contributor III

‎06/14/2024 12:33 AM

Hi everyone, 

I've been having trouble with my SAV Roles, particularly when it comes to assigning multiple roles to a user. 

When I set up a SAV Role I understand, that I can use the For whom can the user setup delegate  to limit the scope of Parent User in the Create Delegate view 

Murmur_0-1718349738758.png

Setup

I have 2 SAV Roles. SAV_1_Basic and SAV_2_Delegation.
 
SAV_1_Basic (screenshots below) works perfectly on its own. It grants users basic Saviynt access, such as the use of Create and Update User Requests.
SAV_1_Query (For whom can the user setup delegate): Tried the following two 
ALL          
empty string
SAV_2_Delegation (screenshots below) works exactly as I would expect. It allows the User to set Delegates for itself + direct subordinates.

SAV_2_Query (For whom can the user setup delegate):

select a from Users a where (a.id=${users?.id} or a.manager=${users?.id})

 

Expected Behavior

When the User has assigned either role, everything works fine. When a User has both Roles assigned, I would expect it to be able to use everything specified in SAV_1_Basic as well as setting up delegates for itself via SAV_2_Delegate. 

Issue

The issue arises, when a User has both Roles assigned.
If SAV_1_Query is set to ALL:
Then the User is able to select a Parent User from all Users in our system and is able to set up delegation for them.
If SAV_1_Query is set to an empty string: 
Then the parent selection uses the correct scope, but you get an access denied error, as soon as the Delegation is about to be created.
 
While this is only one of a dozen of use-cases of SAV Roles, I feel, taht this might get an issue at many configurations. 

Question

How to you approach this topic? It seems impossible to me to have a good SAV Role structure, when they interfere with each other - which shouldn't be the case by definition, as it defeats the purpose of roles.
 
Cheers 🙂
 
 

Screenshots

SAV_1_Basic:

Murmur_3-1718350336364.png

SAV_2_Delegate:

Murmur_4-1718350373194.png

 


 

0 Kudos
2 REPLIES 2

rushikeshvartak
All-Star
All-Star

‎06/15/2024 10:29 PM

instead of all try 

select a from Users a

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Murmur
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎06/17/2024 01:38 AM

Hi @rushikeshvartak - that is basically the same as ALL and leads to the exact same issue as above: 

If SAV_1_Query is set to ALL:
Then the User is able to select a Parent User from all Users in our system and is able to set up delegation for them.
0 Kudos
Copyright © 2024 Khoros, LLC