Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Avanced Account visibility control

lionelrl
New Contributor III
New Contributor III

Hi ,

Is there a way we can fine tune the account visibility on the endpoint using a role ?, for example , I have 10 accounts in AD endpoint , is there way I can make selected set of accounts visible to selected set of individuals ?. 

 

Also , what does the below configuration in the PAM_Config affects ? I had searched documents and did not find any viable information, 

"endpointPamConfig": {
         "maxConcurrentSession": "50"
      },
      "accountVisibilityConfig": {
         "accountCustomProperty": "customproperty55",
         "accountMappingConfig": [
            {
               "accountPattern": "cpamuser*",
               "mappingData": "roletest1",
               "override": "false"
            },
            {
               "accountPattern": "cpamuser1,cpamuser2",
               "mappingData": "roletest2",
               "override": "false"
            }
         ]
      }
4 REPLIES 4

vikasjv
Saviynt Employee
Saviynt Employee

Hi @lionelrl ,

Thanks for posting your question.
Please refer to the below article for managing account visibility.
https://docs.saviyntcloud.com/bundle/CPAM-Admin-Guide-v23x/page/Content/L-Manage-Accounts/Account-Vi...
Please let us know if you have any queries.

anitha_swapna
Saviynt Employee
Saviynt Employee

Hi @lionelrl ,

Thanks for reaching out. 

Regarding the configuration information in the PAM_Config that you had posted, please find the details:

  • endpointAccessQuery: It provides the endpoint visibility for requesting privileged access. It is based on a user-defined query or any entitlements and roles.

  • allowChangepasswordquery: It ensures the change of password or password rotation for an account.

  • accountVisibilityControl: It helps in determining the accounts that must be displayed for users when requesting for privileged access. The analytical control PAMDefaultUserAccountAccessControl includes the query for this feature, and it is added to the custom property of an endpoint. This analytical control is available by default and can be easily added to an endpoint.

The account visibility is based on roles or entitlements assigned to users and it is added to the custom property of an endpoint. For example, users in the finance department cannot view any accounts that are available to human resources (HR), as the account visibility is mapped to the user's role within the organization.

Thanks,

Anitha.

NageshK
Saviynt Employee
Saviynt Employee

@lionelrl As discussed in the SME hours call, please share the updated query that worked for you. It will help others looking for similar information.

Thanks,

Nagesh K 

suresh_ravuri
New Contributor III
New Contributor III

@NageshK  @lionelrl I would appreciate it if you could provide the query since we also have similar requirements for the client