Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Request for Information About Enabling Temporary Elevated Access to Admin Account via Saviynt EIC

Pooja
New Contributor II
New Contributor II

‎04/20/2023 04:48 AM

Currently the users has two accounts in Active Directory - a regular user account and an Admin account. Let’s assume users are currently logging into Saviynt using their regular user account. They would like to enable a process that allows users to request temporary elevated access to their Admin account in Active Directory for a specified time period, and have that access automatically revoked when the time period expires.

 

Here's how we envision this workflow:

 

  1. Users log into Saviynt using their regular user account.
  2. Users can request temporary elevated access to their Admin account in Active Directory for a specified time period.
  3. The request is reviewed by an administrator for approval.
  4. If the request is approved, Saviynt automatically adds the user's Admin account to the requested AD group for the specified time period.
  5. When the time period expires, Saviynt automatically removes the user's Admin account from the AD group.

 

We are hoping to achieve this workflow using the Saviynt EIC. Could you please confirm whether this workflow is supported by Saviynt? If so, could you please provide us with guidance on how to configure this workflow? If not, do you have any suggestions on alternative workflows or features that we could use to achieve our desired outcome?

 

Labels:
0 Kudos
1 REPLY 1

NageshK
Saviynt Employee
Saviynt Employee

‎04/21/2023 02:11 PM

@Pooja Thanks for posting your question. Please follow the below steps to implement the use case

  1. Configure the AD Group entitlement type to make it a time based request. Here is the json to be added by navigating to AD Endpoint -> Entitlement Type -> click "View Detail" against Groups and mention the following json in "config JSON for Request Dates"
    {"ENDDATEREQUIRED" : "1", "DEFAULTTIMEFRAMEHRS": "xx", "MAXTIMEFRAMEHRS": "xx"}
  2. Provide actual values for xx in the json
  3. Create a manager approval workflow and assign the workflow to the security system of the Active Directory. Refer to the following doc portal guide on how to create workflows : Creating Workflows  
  4. When End users go for access request for AD Group, they will now be required to enter start and date dates  

Thanks

Nagesh K

0 Kudos
Copyright © 2024 Khoros, LLC