Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/21/2024 03:55 AM
Hello Team,
I need a help regarding the certification launch we have a requirement from client if user's/employees title gets change basically JML process Certification should trigger via update rules I can think of for now could you please guide with the process ?
05/21/2024 04:15 AM
Hi,
You can refer to this Saviynt document; it gives detailed answers for triggering certification based on change in user attribute
Thanks
05/21/2024 11:03 PM
Saviynt provides the capability to launch campaign (certification) based on changes to user attributes. For example, when the company, city department or any other user metadata value of the user is modified or changed the Campaign defined is launched. Following steps need to be followed to trigger event based certification.
Perform the following steps, to launch a Campaign from User Update Rule:
Configure a user update rule by providing the name, condition which needs to be checked when a user attribute is modified, and choose the action as “Launch Certification” which opens a pop up to enter campaign configuration. Enter the necessary configuration and click on SAVE to create the rule.
Rule Details | |
Rule Name | Specify a relevant rule name for the user update rule which is created to launch a Campaign. |
Detective | Select the Detective checkbox, if you want to trigger the rule when the user is updated using Import User option. |
Select Type | If you select Detective checkbox, by default the type is selected as 'Trigger when the user is updated from Import'. If Detective checkbox is not selected the following different types of rule type can be selected.
|
Rule Description | Specify detailed description for the user update rule. |
Rule Owner | Allows you to add a rule owner for the respective user update rule. Click Add Rule Owner to add an owner for the respective user update rule. |
Condition |
|
Advanced Config | By default, the Advanced Config is disabled (OFF). If you want to specify a query as a condition to be matched for triggering the user update rule, you need to turn the Advanced Config ON. |
Object | Select the attribute as User(s) for which you want to trigger the user update rule. |
Attribute | Select the user attribute to which you want to map the condition. For example, you can select the attribute as city, department, statuskey, manager, and so on based on the criteria you can trigger the user update rule. Sample: For example, you want to launch a campaign when the user's job function is changed. |
Condition | Specify the Condition based to be matched for the select attribute. Possible condition values are: is update, Equals, greater than, less than, contains, starts with, does not contain, not equals, not null, is Null, is updated, in, and not in. Sample: For example, you want to configure the condition for when the user's job function, manager, or city attribute 'is updated' then select the condition as 'is updated'. |
Value | Allows you to specify a specific value to which the object attribute should map. Sample: For example, for the City name is Bangalore condition, you can specify the value as 'Bangalore'. |
Next Condition | Optionally, you can specify more than 1 condition. Both the conditions or more than 1 conditions, you can specify whether all conditions should be mapped using AND in Next Condition. For any 1 of the condition, to be mapped, specify OR. |
Add Condition | Click Add Condition to add multiple conditions to the user update rule. |
Action | |
Organization Name | Used to specify the organization name to which the user belongs. |
Launch Certification | Select Launch Certification from the drop-down list. Select Manager, to launch the certification for User Manager. |
Campaign Configuration | Click Campaign Configuration to create a campaign for the user update rule. Campaign screen dialog will be displayed. Refer this step for more details about configuring the Campaign to be launched, when the user update rule is triggered after the condition specified is met. |
Once you click on Campaign Configuration, the following screen is displayed. Provide the campaign related parameter values in Campaign Configuration.
Campaign Name | Provide a logical campaign name, to easily identity the campaign. |
Campaign Owner | Select the campaign owner for the campaign. The Campaign owner can additionally add other certifiers to the respective Campaign. |
Launch Type | Select whether you want to launch the campaign in active mode or in preview mode. Campaign in preview mode are read only and not yet launched. From preview mode, you can activate the campaign. |
Number of days to expire campaign | Specify the number of days from the campaign active mode after which you want to expire the campaign. For campaigns in preview mode, only when the campaign is active the days to expire campaign are counted from the activation date. |
Campaign Type | You can select either User Manager or Service Account as the campaign type. Only for these two campaign types, you can launch a campaign. |
Default Configuration | Specifying ON as the Default Configuration enables applying the Admin > Configure > Attestation configuration parameters specified to the newly defined campaign. You can turn the Default Configuration OFF and specify attestation and campaign configuration specifically for the newly defined campaign. This will override the default configuration set from Admin > Configure > Attestation. |
Application | You can select all the application for which you want to apply the Campaign. Alternatively, you can select a specific target application only for which you want to launch the campaign. |
Items to be included | This option allows you to perform certification for: BASE_ACCOUNT of user, Entitlements, and Roles assigned to user. The certification for only the selected identity objects can be launched inside the campaign. For example, if you only select Roles only the Roles attestation can be done. The attestation for BASE_ACCOUNT and Entitlements will not be available if Roles is selected. Additionally, if you specify BASE_ACCOUNT, Roles and Entitlements, you will get 2 Step attestation. The first step is used to perform Employment verification, while the second step is used to perform role and entitlement verification. |
(Optional) Scroll down and provide parameter values based on which you want to filter the users, accounts, or entitlements and click Submit.
Users Query | Allows you to specify a user query based on which you want to filter the users. |
Accounts Query | Allows you to specify account names based on which you want to filter the accounts. |
Entitlements Query | Allows you to specify entitlement attributes (such as risk >1 and sox_critical >0) based on which you want to filter the entitlements. |
Account Entitlements1 Query | Allows you to specify a combination of accounts and entitlement attributes based on which you want to filter the account entitlements. |
reassign.users | Certifications inside a campaign can be reassigned to other user(s). Using the reassign.users setting, you can specify a query to filter the specific user(s) only which you want to populated when you click on Reassign. For example, you can provide a query to filter the manager and it will only fetch the manager list, when you click on Reassign. |
Include Users with type | Allows you to select employee type, which is Employee or Contractor. The Employee Type field in Users is used to set the employee type. |
Include Access assigned through | Enables you to include the access type, which is assigned to a user. The access types are assigned to a user can be:
|
Include Accounts of type | Allows you to select the account type(s), which you want to include as part of Campaign.
|
05/22/2024 04:19 AM
I have successfully completed step 3 mentioned in the information provided above. However, I am unsure about how to proceed with the configuration. Can you please guide me through the process?
05/22/2024 09:51 PM - edited 05/22/2024 09:51 PM
Next steps #4 is optional configurations