Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/27/2024 09:54 PM
We currently have basic provisioning access tech rules for a Joiner and I'm wondering what the best way would be to provision AD groups for certain positions based on an attribute.
For example:
We have 100 customer contact users, 75% of the AD access groups are the same for that position. We have 50 accounts clerk users, 85% of the AD access groups are the same for that position.
For each scenario, do we
1. Make the AD groups members of a new AD group which would simulate a role.
2. Create a technical rule for each scenario to assign the role based on the position title attribute as a condition and select birthright, detective and remove options.
3. Create a detective job for each scenario to pick up any outliers.
I don't really want a rule for each position is there a way to concatenate the position within actions of the technical rule or detective job.
e.g one for rule 2 scenarios
Conditions:
users Position = Customer Contact or Position = Accounts Clerks
Action:
Assign Groups ROLE_<position>
Or is there a better overall approach than tech rules, detective etc, like analytics?.
Thanks
Solved! Go to Solution.
08/27/2024 10:18 PM
You can prepare dynamic rule
Refer
08/28/2024 05:02 PM
Thanks Rushikesh for pointing me in the right direction. All working with one rule which can now provision many AD group roles. For anyone wanting to do the same
I setup the advanced query as per below which will grow as we onboard each role
Condition: adv query
a.statuskey=1 AND a.jobcodedesc LIKE 'Casual Lifeguard' AND a.customer is null
Action:
object type: XX Active Directory::memberof
object: CN=Role_${user.jobcodedesc},ou=abc,ou=efg,dc=internal
ticked all options after as I want it to be birthright, removed if they change roles and detective functionality.
This rule adds AD Group: ROLE_Casual Lifeguard