Saviynt Forums

Solutioning approach:

Separate SS, EP and Connection for Master(Login) and Application specific Schema

Master EP will be requestable and contain dummy entitlements (replica of entitlements from application schema endpoint) and will be mapped with entitlements from application schema endpoint

Workflow will be configured on Master SS

Master Connection can create the login in Master and remove the Login from master

App specific Schema EP will not be requestable. However provisioning Tasks will get created along with Master EP entitlements (Entitlement mapping).

No Workflow will be configured for App specific Schema SS.

App specific Schema connection will create the user and map with the login, Add/remove Roles to user, remove user from schema

Use cases:

New account request:

Tasks will be created for Master and Schema Endpoints and provisioned through respective connectors. If a user requests for 1 role, 2 tasks will be created - One for Dummy entitlement in master and second for the mapped entitlement from Schema Endpoint. Both tasks will get completed after running the provisioning Job

Modify request:

If a user needs access to a new application specific schema, then create a Modify request in the Master EP as the user account is already present in Master EP. User selects the roles and submit request. 2 tasks will be created - One for Dummy entitlement in master and second for the mapped entitlement from Schema Endpoint. Both tasks will get completed after running the provisioning Job. This will be creating the account in the new schema as well. Same process for removing access from one app specific schema. User needs to create a Modify request to remove the applicable role.

Delete request:

During delete account request, deprovisioning tasks will be created for all the child entitlements belonging to the schema specific endpoint along with Master Login removal task.

Kindly let me know if this is the right approach or any better solutioning is being used.