Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Need clarification on Endpoint Group Policy feature?

Saathvik
All-Star
All-Star
Team,
 
As per documentation starting from v24.3 saviynt has introduced new concept to control the endpoint visibility control based on PAM Endpoint Group Policy
 
 
But I have a question about this new feature based on the description below (which is prerequisite to use Endpoint Group Policy), If we enable this setting instead of validating against Access Query it works based on Endpoint Group Policy rules. But what if an endpoint where PAM is not enabled but using Access Query where they don't have any dependency on entitlement, how those applications will work?
 
sk_2-1711651091374.png

 

These applications will not have any dependency on entitlements they purely work on user attribute conditions or respective accounts
 
Example scenarios: 
  1. On of the endpoint in our environment we have condition where it should be visible to only users who have an active AD account(No dependency on entitlement)
  2. Quite a few applications where we used user CPs as condition but not entitlements to control the visibility

Based on documentation it looks like both Access Query based visibility and Endpoint Group Policy based visibility cannot be achieved in parallel. Also don't see a way to migrate Access Query based visibility to new Endpoint Group Policy because this policy is purely based on Entitlement type and tags but not considering user attributes/accounts attributes etc.

Can someone provide me more details about achieving both use cases?

 

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
3 REPLIES 3

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Saathvik,

 
But I have a question about this new feature based on the description below (which is prerequisite to use Endpoint Group Policy), If we enable this setting instead of validating against Access Query it works based on Endpoint Group Policy rules. But what if an endpoint where PAM is not enabled but using Access Query where they don't have any dependency on entitlement, how those applications will work?

This will only be applicable in PAM_ENABLE environment.

These applications will not have any dependency on entitlements they purely work on user attribute conditions or respective accounts
 
Example scenarios: 
  1. On of the endpoint in our environment we have condition where it should be visible to only users who have an active AD account(No dependency on entitlement)
  2. Quite a few applications where we used user CPs as condition but not entitlements to control the visibility

Based on documentation it looks like both Access Query based visibility and Endpoint Group Policy based visibility cannot be achieved in parallel. Also don't see a way to migrate Access Query based visibility to new Endpoint Group Policy because this policy is purely based on Entitlement type and tags but not considering user attributes/accounts attributes etc.

Answer : 
Entitlment is mandatory, even you can have savrole as entitlement(Should be requestable) act like a entitlement of the account. 
No, both can not be acheived in parallel.
Policys need to be created from the scratch and it cannot be migrated.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

@sudeshjaiswal : Your first response is understandable but second response is confusing to me.

Let me reiterate my understanding

Enable Policy Rules in global configuration will not impact the endpoints which are not enabled for PAM. This configuration is specific to the endpoints which are PAM Enabled.

That means once we enable this setting all PAM Enabled Endpoints will only follow Endpoint Group Policy rules instead of Access Query but any other endpoints which are not PAM Enabled will always follow Access Query

Is this correct statement?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Saathvik,

Enable Policy Rules in global configuration will not impact the endpoints which are not enabled for PAM. 
Answer :- No, it wont impact any other endpoints which are not PAM Enabled.

This configuration is specific to the endpoints which are PAM Enabled.  

Answer : Yes, this configuration is specifics to PAM enables endpoints.

That means once we enable this setting all PAM Enabled Endpoints will only follow Endpoint Group Policy rules instead of Access Query but any other endpoints which are not PAM Enabled will always follow Access Query
Answer : Correct.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".