Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/08/2024 04:14 AM
Hi,
I am looking to pull a complete list of all 'DirectoryRole' entitlements relating to EntraID(AzureAD).
Currently, Microsoft has just over 100 of these built in directory roles, found here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#all...
However, in my Saviynt instance, I am only able to see 30~ or so. Where are the other 60+ entitlements?
I had thought that perhaps if someone is not assigned the role in EntraID, then the entitlement would not import, however, there are some entitlements showing as no accounts within.
Thanks,
07/08/2024 04:28 AM
@Ches check any Entitlement and child entitlement
Endpoint->Entilement->open active one -> check again child ent tab -->few ent's
Refrenc :
07/08/2024 04:39 AM
Thanks for your reply, but this does not answer my question?
If I use the Global Reader DirectoryRole entitlement and look at the child entitlements, for example.. what does that have to do with what I'm looking for?
I am looking to understand why there are over 100 Microsoft built in DirectoryRoles, yet my Saviynt instances only display approx 30~.
07/08/2024 08:08 PM
07/09/2024 01:33 AM
Hi,
Any import jobs are complete imports and I see nothing to exclude any DirectoryRole etc.
The ENTITLEMENT_ATTRIBUTE on the connection looks standard. And the ENTITLEMENT_FILTER_JSON is blank (as expected).
07/09/2024 11:19 PM
07/10/2024 01:07 AM
I meant that I see nothing to indicate my instance is excluding any Directory Role entitlements.
08/16/2024 06:43 AM - edited 08/16/2024 06:55 AM
We're also experiencing this issue and trying to figure it out ourselves.
08/16/2024 06:46 AM
Please validate in 24.x latest version
08/16/2024 06:54 AM
My bad. We are v24.5
08/16/2024 06:46 AM
Hi @slovelace
After doing some further tests, I have came to the conclusion that the DirectoryRoles will NOT populate in Saviynt, unless the role gets assigned to someone/PIM in EntraID. Only then will it populate.
It would be great if you're able to test this on your side, to confirm the behaviour.
08/16/2024 06:50 AM - edited 08/16/2024 06:51 AM
That is what we were suspecting. We also noticed that if the role is "eligible" but not active, it does not populate on the user. Perhaps this is also why some of them show up but are blank? This just failed QA tests yesterday so purely speculation on our part at the moment.
Will keep poking around and trying new things.
08/16/2024 06:54 AM
"We also noticed that if the role is "eligible" but not active, it does not populate on the user."
This behaviour was also noted. Unless it's active at the point of the EntraID sync, it'll show as not assigned to anyone.
08/16/2024 07:00 AM - edited 08/16/2024 07:03 AM
Seems a bit odd. Means it's just a matter of luck if we know appropriate PIM roles then, and they can disappear just as fast on the next sync. Hmmmmmm.