We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

PAM Certification

Ekata
New Contributor III
New Contributor III

Hi Team,

We would like to understand how best we might configure a Privileged Access Cert in Saviynt to review high risk access.

Do we have any article on PAM certification in saviynt?

If yes, plz provide the link.

Regards,

Ekata

9 REPLIES 9

sk
All-Star
All-Star

Can you please elaborate your use case? If I understand your query you want to review some high risk access through certification.

If so then you will use regular certification process to launch the certifications, You can do either User Manager or Entitlement Owner certification.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Ekata
New Contributor III
New Contributor III

Thank you for the response. Can we user manager certification only for a few types of entitlement? 

For ex: 

cn=Domain Admins,cn=users,dc=****,dc=com & cn=Enterprise Admins,cn=users,dc=****,dc=com & cn=Schema Admins,cn=users,dc=****,dc=com

will this include users with access via nested groups?

Regards,

Ekata

1. Yes you can use Advanced Campaign Configurations and use respective query which includes only entitlements that you want to review in Entitlements Query field

sk_0-1678716474895.png

2. No, Nested entitlement users won't be available by default unless you include those nested entitlements as well in your entitlement query


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Ekata
New Contributor III
New Contributor III

Hi,

Is it possible to get the campaign launched when the user job is transferred to their manager using user manager certification?

Do we have any option to enable it?

Kindly advise.

regards,

Ekata

Yes it can be done, There is no difference in certification for PAM it depends on regular IGA functionality.

You can create a user update rule where you can select action as launch certification and configure the respective settings for certification and then schedule the job: Launch Certification from Rule Job (LaunchCertificationFromRuleJob)


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Ekata
New Contributor III
New Contributor III

Hi Saathvik,

I am trying to launch an entitlement owner campaign but the list is not seen at the certification level. Below are the examples:

Ekata_0-1679312269671.png

But the other entitlements are getting picked up.

Ekata_1-1679312318397.png

Is there any specific reason like entitlement type which needs to be included while creating it?

Kindly advise.

Regards,

Ekata

 

it depends on your certification configuration, please share the screenshots of your certification configuration. And please tell me which endpoint entitlements/entitlement type are not seeing in the certification.

Also please check below things

  1. Does missing entitlements have certifiers assigned?
  2. Does assigned certifiers are Active?
  3. Does those entitlements have any members associated?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Ekata
New Contributor III
New Contributor III

Hi,

Below is the screen shot:

Ekata_0-1679388211902.png

Ekata_1-1679388255932.png

The entitlement type is role for parent ant group is shown on child entitlement. for normal group entitlements without nested groups the launch works as below:

Ekata_2-1679389235630.png

But these are not included (testqa entitlement)

Ekata_5-1679389413834.png

Below are the finding:

  1. Does missing entitlements have certifiers assigned?--> Yes
  2. Does assigned certifiers are Active?--> Yes
  3. Does those entitlements have any members associated?--> There is 1  orphan account attached which is Decommission Active.

 

Muralee
New Contributor
New Contributor

Hi Saathvik,

I am following up on Ekata's above mentioned screenshots as she is on vacation, were you able to figure out the issue, kindly let me know. Thanks!

Regards,

Murali Dharan