Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Need detailed information on CPAM Role based access method

New Contributor II
New Contributor II
We have few questions regarding to role based access method
1. what is the best use case/scenario for role based access method
2. Is the role based access, can be given to persistent domain account or local account Ex  Can Azure roles be assigned to a domain account? Specifically, is it possible to use a domain account for role-based access when accessing the Azure portal through CPAM?
3. When we request a role via CPAM, will our individual account which we use to log in to the CPAM portal, automatically receive the role or do we need to maintain a shared local or domain account for role based access?
4. If a shared account is required for role-based access can multiple users access the same account at the same time with different or same roles or does it lock the account for the user based on the timeframe requested?
5. How do we restrict shared account to be used  for role based access by multiple people?

Saviynt Employee
Saviynt Employee


Thanks for reaching out on Forums with your questions. Here are the responses:

1. In CPAM we make use of the Emergency Access Roles (also known as Firefighter Roles) to provide access to different entitlements on the target. These entitlements can be AD Groups, Azure Roles, AWS IAM Roles, AWS Groups, GCP roles, GCP Groups, etc. When users request for an Emergency Access Role, they get access to the underlying entitlements attached to the Emergency Access Role

2. Yes, Roles can be assigned to both local and domain accounts in different ways. For local accounts Roles are assigned directly whereas for Domain accounts (where you have SSO enabled for the target using Domain accounts) Roles are usually assigned via the AD Groups

3,4 and 5:  User id that you use to login to CPAM Portal (Saviynt EIC) is different from the accounts present on the target system. Ex: your login id to Saviynt is PAMEndUser10. And this user has an account in each of AWS (IAMUser10), Azure(AzureADUser10), AD (ADUser10). All these accounts from different target system get associated with your Saviynt login (PAMEndUser10).
When you request for Roles from target systems, those roles get added to the accounts present on those Targets and not to your user id in Saviynt EIC

In some cases Organizations may chose to implement shared account access. In those cases, instead of creating an account for each user, there will be a shared account (ex: SharedAcct10) created on target and all users will request access using this shared account. By default this shared account will be avaiable for all users. However if you want to restrict access to only few selective users, you can use the account visibility feature to customize the implementation for your requirement