We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

SAV Role Change Password restriction on a Endpoint

PKSAKS
New Contributor III
New Contributor III

Usecase:

We have End User SAV Role and Service Desk Sav Role . The End users should be able to change their password through Saviynt for Active Directory Endpoint. And End user is the basic role which all the users will be having by default.

On the other hand Service Desk Sav Role should be only able to change all users Active Directory Endpoint password through Saviynt. If a user is having Service Desk role he is having End user SAV role too by default.

 

Things tried:

Endpoint Access Query: WHERE users.userkey not in(select us.userkey from savroles sv, user_savroles us where sv.rolekey=us.rolekey and sv.rolename in ('ROLE_MT_END_USER')) and users.statuskey=1

but this is not feasible as other SAV roles cannot then request for any of the access/account.

Config For AllowChangePassword:

if we define this and since this is associated to account then Is there  a way to restrict it through SAV Roles so that users with End_User should not be able to change their password but only Service Desk Savrole users can change AD password all users.

Note: We cannot remove the change password for account tile from SAV Role because for other endpoint we want users to self change account passwords.

 

4 REPLIES 4

pruthvi_t
Saviynt Employee
Saviynt Employee

Hi @PKSAKS ,

Greetings.

So you want to restrict the enduser savrole users to be able to change their password for AD endpoint.

Please let me know if my understanding is accurate.

Thanks,


Regards,
Pruthvi

aidanryan
New Contributor III
New Contributor III

Hey @pruthvi_t ,

Not to hijack this thread, but that is what we are wondering. Would it be possible on the Endpoint to do something like 'WHERE user_savroles.rolekey != 32' to block certain SAV Roles from seeing certain endpoints when going to reset account passwords for Self and Others?

 

Thank you,

Aidan Ryan

tables are not directly exposed hence no. You need to use sub queries


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

rushikeshvartak
All-Star
All-Star

Config For AllowChangePassword:  You can use this config to show end user only there account for AD Application and Support team all users.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.