Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
A company wants to ensure the security of their endpoints by configuring out of band access detection. SSM provides an out-of-band access detection functionality that detects and revokes accesses that are assigned by the target system and not SSM. For example, an access that does not have a Task ID associated with account to entitlement mapping. This functionality ensures that out-of-band access assigned directly in the system or through a co-existing IAM system is not assigned without an audit trail. You can set the out-of-band access detection configuration at the endpoint level.
Pre-requisites
You can assign access to accounts in one of the following ways:
Saviynt Security Manager (SSM)
Another coexisting Identity and Access Management (IDM) platform
Directly in the target application without raising a request
Applicable Version(s)
N/A
Solution
Perform the following steps to activate the out of band access:
Bootstrap existing access at the endpoint - We need to update a dummy task key for all the existing Account entitlement Entries for that particular Endpoint to baseline the current status. Note: This is an important step to perform before activating the Out of the Band Action. Else it will remove all the accesses which does not have a Taskkey mapped to the account_entitlements1 table.
Update the endpoint:
Go to ADMIN > Identity Repository > Security Systems > Endpoints. The Security System List page is displayed.
Select the Endpoints tab. The Endpoint List page is displayed.
Click the endpoint for which you want to set Out of Band Access.
Select the Endpoint Details tab.
Select
Deprovision Access: Selecting this option will deprovision access for accounts given access other than ARS or through Import. All adopted accounts associated with an identity will have deprovisioning tasks created automatically for access not assigned by Saviynt, once processed, access will be removed in target systems. All the accounts regardless if account is Dialog/Service/System, as long as it is adopted to an identity it will be affected. Service Accounts in Saviynt are correlated via "Owner" so will not fall under this functionality as they are all orphaned by default.
Deprovision Access and Re-create Access Request: Selecting this option will deprovision access for accounts given access other than ARS or through Import. In addition, it also creates a recreate access request for such accounts.
Run the Revoke Out of Band Access Job (RevokeOutOfBandAccessJob) from the Job Control Panel workbench (Admin > Job Control Panel) to revoke the out-of-band access given to the user.
The Deprovisioning tasks will be created for the entries for whom the Taskkey is empty in the Account Entitlements Table. If the Taskkey exists in the Account Entitlements table, the Deprovisioning tasks will not be created.
Note:-SSM enables you to create DeprovisionAccess or Deprovision Access and Re-create Access Request for the access that is not provisioned through SSM by executing the Revoke Out of Band Access job based on the option selected in the Action for Out of Band Access Detection configuration from the Endpoint Details tab (ADMIN > Identity Repository > Security Systems > Endpoints).
