Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Endpoints Not Visible in Privileged Access Request Page

aksharkay
New Contributor III
New Contributor III
Hi,
 
We have added an endpoint access query on an endpoint in our Dev instance. Below is the query:
WHERE '${requestor.id}' IN (SELECT usergroup_users.userkey FROM usergroup_users WHERE user_groupkey IN (SELECT ug.usergroupkey FROM user_groups ug WHERE user_groupname = 'GroupA'))
 
Though this query works as expected on ARS, it is affecting the accounts visibility in the Privileged Access Request Page as I'm unable to see any of my accounts under the Select Tenant ID page. Below is the screenshot:
 
ZvoI_FAewjllBYikvr-HL6LbqsKBHPOlig.png
 
I am part of the GroupA user group which is mentioned in the above query, yet I'm unable to view my accounts in the above page. The analytics control name in customproperty43 of the endpoint also returns my account name when executed from the analytics page and data analyzer.
 
Please let me know if anyone has any idea about how to resolve this issue.
 
Thanks & Regards,
Akshar
8 REPLIES 8

vikasjv
Saviynt Employee
Saviynt Employee

Hi @aksharkay ,

Thanks for posting your question.
Please use the below access query and let us know if it resolves the issue.
Query
where users.userkey in (SELECT DISTINCT u.userkey FROM users u, user_groups ug, usergroup_users ugu, endpoints ep WHERE ug.usergroupkey = ugu.USER_GROUPKEY AND ugu.USERKEY = u.userkey and find_in_set (ug.USER_GROUPNAME, ep.customproperty17) and ep.endpointname='cpam-w2k16-dev-002') or users.username like 'Admin%'

Note: Groupname should be present in the endpoint customproperty17 and change the endpoint name accordingly.

aksharkay
New Contributor III
New Contributor III

Hi Vikas,

Thank you for the query. But this query seems to apply the filter on the requestee instead of the requestor. Our requirement is that if a requestor is part of the user group (CP17), then he/she should be able to see the endpoint for all the users in ARS.

We have the IGA Admins who are added to the group, so only they should be able to view the endpoints for all users in ARS, and any other end user logging into our Saviynt instance should not be able to see that endpoint.

Please let me know if you need any other details.

Thanks & Regards,

Akshar

vikasjv
Saviynt Employee
Saviynt Employee

Hi @aksharkay ,
Could you please try with the below query and let me know if still, the issue persists?
WHERE '${requestor.id}' IN (SELECT DISTINCT u.userkey FROM users u, user_groups ug, usergroup_users ugu, endpoints ep WHERE ug.usergroupkey = ugu.USER_GROUPKEY AND ugu.USERKEY = u.userkey and find_in_set (ug.USER_GROUPNAME, ep.customproperty17) and ep.endpointname='cpam-w2k16-dev-002')

aksharkay
New Contributor III
New Contributor III

Hi Vikas,

Thank you for your query. Though it works as expected in ARS, it hides all endpoints and accounts from the Privileged Access Request page. It is the same issue which I was facing initially with the query which I mentioned in my initial post.

aksharkay_0-1689769075558.png

Thanks & Regards,

Akshar

vikasjv
Saviynt Employee
Saviynt Employee

Hi @aksharkay ,

Could you please confirm whether endpoints are visible in the pam request if you remove the access query from the endpoint?

aksharkay
New Contributor III
New Contributor III

Yes Vikas, when the query is removed from the endpoint then the endpoints are visible in the Privileged Access Request "Select ID" page.

NageshK
Saviynt Employee
Saviynt Employee

@aksharkay In PAM requests you cannot submit request on behalf of others. So, here both requestor and requestee are same. Also, dynamic variables are not supported in access query for PAM as when the sync job runs, there will not be any user context to evaluate. Can you try the query given initially by Vikas and see if that works? If that still does not work, please elaborate your case where you require the distinction between requestor and requestee for PAM request. We shall then review for other options. 

Thanks

Nagesh K

aksharkay
New Contributor III
New Contributor III

Hi Nagesh,

I have mentioned our use case in my previous posts. The issue is that the access query that I have defined in the Endpoint Details page is also being referred by PAM in the Privileged Access Request page.

The ${requestor.id} attribute which I am using in the endpoint details page is working as expected in the IGA use case where the endpoints are hidden on ARS based on requestor. But seems like that same attribute is not supported by PAM.

If there are 2 modules dependent on 1 access query, then the binding variables being used in that access query should be supported by both the modules. If that is not the case, then that is an inconsistency in Saviynt.