Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/13/2023 05:51 AM - edited 10/13/2023 05:52 AM
Dear community,
Our project requires to connect from external application via API to Saviynt.
Should we
1) use normal Saviynt user identity with an appropriate SAV role to perform API calls
OR
2) should we enable ADD/REMOVE service account workflow on the Saviynt security system and then create a service account identity which would be linked to that?
What is the best approach and why?
I kindly ask for your help, please.
Best regards,
Francisco J.
Solved! Go to Solution.
10/13/2023 06:30 AM - edited 10/13/2023 06:55 AM
Hi @FranciscoS,
Please refer the below documentation for details on your requested information.
Saviynt API Best Practices - Saviynt Forums - 36345
Kindly request your validation of the provided information and kindly inform us if additional details are required.
10/13/2023 06:56 AM
Hi @FranciscoS,
We are checking on this and we will keep you posted.
10/17/2023 02:51 AM
Hello @DixshantValecha ,
Thanks for your reply. According with best practices document, it would be well creating a normal Saviynt user and assigning endpoint access accordingly with least privilege approach to it. -> That would mean our option number 1).
What do you think about option 2?
Kind regards,
Francisco J.
11/06/2023 12:59 AM
Authentication to Saviynt API is typically done using a service account in Saviynt that should have read/write access to the application. This service account username and password need to be provided for authenticating into Saviynt before any APIs can be executed.
However, the best practice guide for managing Saviynt API service accounts recommends following a standard naming convention across all Saviynt API user identities. It also suggests implementing a least privilege approach by creating a custom SAV role that includes only the necessary web service permissions.
If possible, it’s recommended to use a Refresh token to generate an access token so that the static service account userid and password do not need to be stored in the application making API calls.
So, in your case, both options could work, but using a service account with an appropriate SAV role might provide more security and flexibility. This is because service accounts are designed to represent machine users, such as software or business processes, that require authenticated access to privileged resources.
Please let me know if further info is needed on this.