Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Service Account for API calls

Go to solution
FranciscoS
New Contributor III
New Contributor III

‎10/13/2023 05:51 AM - edited ‎10/13/2023 05:52 AM

Dear community,

Our project requires to connect from external application via API to Saviynt. 

Should we

1) use normal Saviynt user identity with an appropriate SAV role to perform API calls

OR

2) should we enable ADD/REMOVE service account workflow on the Saviynt security system and then create a service account identity which would be linked to that?

What is the best approach and why?

I kindly ask for your help, please.

Best regards,

Francisco J.

Labels:
0 Kudos
4 REPLIES 4

Go to solution
DixshantValecha
Saviynt Employee
Saviynt Employee

‎10/13/2023 06:30 AM - edited ‎10/13/2023 06:55 AM

Hi @FranciscoS,

Please refer the below documentation for details on your requested information.

API Reference (saviynt.com)

Saviynt API Best Practices - Saviynt Forums - 36345

Kindly request your validation of the provided information and kindly inform us if additional details are required.

Go to solution
DixshantValecha
Saviynt Employee
Saviynt Employee

‎10/13/2023 06:56 AM

Hi @FranciscoS,

We are checking on this and we will keep you posted.

0 Kudos

Go to solution
FranciscoS
New Contributor III
New Contributor III
In response to DixshantValecha

‎10/17/2023 02:51 AM

Hello @DixshantValecha ,

Thanks for your reply. According with best practices document, it would be well creating a normal Saviynt user and assigning endpoint access accordingly with least privilege approach to it. -> That would mean our option number 1).

What do you think about option 2?

Kind regards,

Francisco J.

0 Kudos

Go to solution
DixshantValecha
Saviynt Employee
Saviynt Employee

‎11/06/2023 12:59 AM

Authentication to Saviynt API is typically done using a service account in Saviynt that should have read/write access to the application. This service account username and password need to be provided for authenticating into Saviynt before any APIs can be executed.

However, the best practice guide for managing Saviynt API service accounts recommends following a standard naming convention across all Saviynt API user identities. It also suggests implementing a least privilege approach by creating a custom SAV role that includes only the necessary web service permissions.

If possible, it’s recommended to use a Refresh token to generate an access token so that the static service account userid and password do not need to be stored in the application making API calls.

So, in your case, both options could work, but using a service account with an appropriate SAV role might provide more security and flexibility. This is because service accounts are designed to represent machine users, such as software or business processes, that require authenticated access to privileged resources.

Please let me know if further info is needed on this.

 

Copyright © 2024 Khoros, LLC