Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Access Request for priviledged roles

Community_User
Saviynt Employee
Saviynt Employee

Originally posted on March 30 2022 at 15:36 UTC

Hello Folks,

 

I have a the following requirements for access request and wanted to know if it can be achieved:

We have two sets of roles (privileged and nonprivileged) defined on Saviynt that are associated with AD groups

Through Webservice call, I can request for a Privileged role and Saviynt should do the following:

1. Assign the Privileged Role to the Identity

2. Create a task to create the AD account of the user. But the SAMAccountName of this user should be the user ID followed by -adm

3. Assigned the AD group associated with the Privileged role to the -adm account of the user.

 

Now the same above requirement is there, if a Non-Privilege role is requested through webservice. The only difference is, Saviynt should create regular AD account (SAMAccountName should be same as User's ID) and then the AD group  associated with the Non-Privileged Role should be assigned to the regular AD account of the user.

 

Same use cases applies, if I request Role removal and it should remove  the role from respective AD account

 

Any response is appreciated.

 

Tks

Sunil

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
2 REPLIES 2

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 4 2022 at 17:43 UTC

Hi Sunil, 


Thank you for reaching out to us,


Yes! You can achieve this use case, using dynamic attribute at the request level itself to obtain that value while creating or updating an account, using the requestAccessAttributes variable for invoking that attribute. Please follow through our documentation https://saviynt.freshdesk.com/support/solutions/articles/43000615764-active-directory-ad-connector-g... under 

Provisioning Parameters -> CREATEACCOUNTJSON it talks exactly about this specific use case.


Regards, 

Belwyn.


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Umeshlella
Saviynt Employee
Saviynt Employee

Another way to achieve this requirement is by creating another endpoint for your privileged Roles associated with AD Groups and manage the requirements specific to privileged roles (Ex: AD Groups associated with Privileged roles as entitlements, accountname rule to match '-adm', separate workflow if needed etc.)