Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.
No ratings
timchengappa
Saviynt Employee
Saviynt Employee

Use Case

The technical rule support dynamic assignment of Saviynt objects by making use of reference operator dollar symbol ($). This article explains this feature by referring to following dynamic role assignment - Say during a user import/onboarding, as part of birthright provisioning, there is a need to assign enterprise roles based on the user's department, Job Code, organization, Location Number, etc.

E.g. 1: If the user's location number is '12345' then the enterprise role "Role-12345" needs to be assigned to the user.

E.g. 2: If the user's location number is '67890' then the enterprise role "Role-67890" needs to be assigned to the user.


Pre-requisites

Role naming convention: The role name must be designed with two parts in mind. A static and a dynamic part. The static part should remain constant for all roles created to achieve this business requirement. The dynamic part is the location number that varies for each role and it is based on this location number, multiple accesses across several applications are clubbed into the enterprise role.

Syntax: <RoleName><location_number> 

Sample: Role-12345, Role-67890 etc.

Screen Shot 2023-03-16 at 12.55.04 PM.png

Applicable Version(s)

ALL

Solution

Instead of creating multiple technical rules for every unique user location number in the organization, we can simply create one technical rule that assigns the required enterprise role based on the user's location number.


Technical Rule Creation: Define the basic condition based on which the rule should be evaluated. A condition such as a user status is 'Active', location number is not NULL, user type = "Employee" etc.

  1. In the Action section of the technical rule, select "Enterprise Roles" as the object type
  2. In the Object Text Box follow the below syntax to define dynamic role assignment

Syntax: <Static_part_of_the_role_name>${user.<dynamic_part_of_the_role_name>}

E.g. Role-${user.locationnumber}

Screen Shot 2023-03-16 at 1.10.32 PM.png

Screen Shot 2023-03-16 at 1.11.23 PM.png

Note: In this case, ${user.locationnumber} is a binding variable that fetches the location number user attribute from users. Assigning New Account, Access, or Enterprise Role Based on Dynamic Values 

 

Reference

Assigning New Accounts, Access, or Enterprise Role Based on Dynamic Values

Comments
abhiupadhyay
New Contributor III
New Contributor III

@timchengappa  @Rishi Thanks for the above article. I have opted this design for our use case also. now when we change user's location code, new role as per dynamic assignment is being assigned, but the old role is not getting removed. I guess that's not happening because condition in technical rule is still true ( only userstatus=1) .. 

What would be the best way to remove old roles that does not apply with new location code? 

timchengappa
Saviynt Employee
Saviynt Employee

Hi @abhiupadhyay 

You can either change your rule with conditions that also satisfy the rule for access removal while ensuring the "Remove Birthright Access if the condition fails" configuration is 'checked' in the rule(This is also a recommended and cost-efficient approach)
or
have a second similar rule to achieve the same. Please ensure the conditions in both rules don't go into a loop (that the access is not assigned and removed recursively during each evaluation).

Thanks

Version history
Last update:
‎03/21/2023 10:48 AM
Updated by:
Contributors