Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAV Role Change Password restriction on a Endpoint

PKSAKS
New Contributor III
New Contributor III

‎10/25/2023 09:24 PM

Usecase:

We have End User SAV Role and Service Desk Sav Role . The End users should be able to change their password through Saviynt for Active Directory Endpoint. And End user is the basic role which all the users will be having by default.

On the other hand Service Desk Sav Role should be only able to change all users Active Directory Endpoint password through Saviynt. If a user is having Service Desk role he is having End user SAV role too by default.

 

Things tried:

Endpoint Access Query: WHERE users.userkey not in(select us.userkey from savroles sv, user_savroles us where sv.rolekey=us.rolekey and sv.rolename in ('ROLE_MT_END_USER')) and users.statuskey=1

but this is not feasible as other SAV roles cannot then request for any of the access/account.

Config For AllowChangePassword:

if we define this and since this is associated to account then Is there  a way to restrict it through SAV Roles so that users with End_User should not be able to change their password but only Service Desk Savrole users can change AD password all users.

Note: We cannot remove the change password for account tile from SAV Role because for other endpoint we want users to self change account passwords.

 

Labels:
0 Kudos
4 REPLIES 4

pruthvi_t
Saviynt Employee
Saviynt Employee

‎10/26/2023 10:57 AM

Hi @PKSAKS ,

Greetings.

So you want to restrict the enduser savrole users to be able to change their password for AD endpoint.

Please let me know if my understanding is accurate.

Thanks,


Regards,
Pruthvi
0 Kudos

aidanryan
New Contributor III
New Contributor III

‎12/11/2023 09:20 AM

Hey @pruthvi_t ,

Not to hijack this thread, but that is what we are wondering. Would it be possible on the Endpoint to do something like 'WHERE user_savroles.rolekey != 32' to block certain SAV Roles from seeing certain endpoints when going to reset account passwords for Self and Others?

 

Thank you,

Aidan Ryan

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to aidanryan

‎12/11/2023 10:01 AM

tables are not directly exposed hence no. You need to use sub queries


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

rushikeshvartak
All-Star
All-Star

‎12/11/2023 10:03 AM

Config For AllowChangePassword:  You can use this config to show end user only there account for AD Application and Support team all users.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
Copyright © 2024 Khoros, LLC