We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Request for Information About Enabling Temporary Elevated Access to Admin Account via Saviynt EIC

Pooja
New Contributor II
New Contributor II

Currently the users has two accounts in Active Directory - a regular user account and an Admin account. Let’s assume users are currently logging into Saviynt using their regular user account. They would like to enable a process that allows users to request temporary elevated access to their Admin account in Active Directory for a specified time period, and have that access automatically revoked when the time period expires.

 

Here's how we envision this workflow:

 

  1. Users log into Saviynt using their regular user account.
  2. Users can request temporary elevated access to their Admin account in Active Directory for a specified time period.
  3. The request is reviewed by an administrator for approval.
  4. If the request is approved, Saviynt automatically adds the user's Admin account to the requested AD group for the specified time period.
  5. When the time period expires, Saviynt automatically removes the user's Admin account from the AD group.

 

We are hoping to achieve this workflow using the Saviynt EIC. Could you please confirm whether this workflow is supported by Saviynt? If so, could you please provide us with guidance on how to configure this workflow? If not, do you have any suggestions on alternative workflows or features that we could use to achieve our desired outcome?

 

1 REPLY 1

NageshK
Saviynt Employee
Saviynt Employee

@Pooja Thanks for posting your question. Please follow the below steps to implement the use case

  1. Configure the AD Group entitlement type to make it a time based request. Here is the json to be added by navigating to AD Endpoint -> Entitlement Type -> click "View Detail" against Groups and mention the following json in "config JSON for Request Dates"
    {"ENDDATEREQUIRED" : "1", "DEFAULTTIMEFRAMEHRS": "xx", "MAXTIMEFRAMEHRS": "xx"}
  2. Provide actual values for xx in the json
  3. Create a manager approval workflow and assign the workflow to the security system of the Active Directory. Refer to the following doc portal guide on how to create workflows : Creating Workflows  
  4. When End users go for access request for AD Group, they will now be required to enter start and date dates  

Thanks

Nagesh K