Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best Practice to provision access based on position title

Go to solution
Huddos
Regular Contributor
Regular Contributor

‎08/27/2024 09:54 PM

We currently have basic provisioning access tech rules for a Joiner and I'm wondering what the best way would be to provision AD groups for certain positions based on an attribute.

For example:

We have 100 customer contact users, 75% of the AD access groups are the same for that position. We have 50 accounts clerk users, 85% of the AD access groups are the same for that position. 

For each scenario, do we

1. Make the AD groups members of a new AD group which would simulate a role. 

2. Create a technical rule for each scenario to assign the role based on the position title attribute as a condition and select birthright, detective and remove options. 

3. Create a detective job for each scenario to pick up any outliers. 

I don't really want a rule for each position is there a way to concatenate the position within actions of the technical rule or detective job.

e.g one for rule 2 scenarios

Conditions:

users Position = Customer Contact or Position = Accounts Clerks

Action:

Assign Groups ROLE_<position>

Or is there a better overall approach than tech rules, detective etc, like analytics?.

 

Thanks

 

Labels:
0 Kudos
2 REPLIES 2

Go to solution
rushikeshvartak
All-Star
All-Star

‎08/27/2024 10:18 PM

You can prepare dynamic rule 

Refer 

Scenario 1: Provisioning Enterprise Role based on Dynamic Values

https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter05-Policies/Creating-Technic...


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Go to solution
Huddos
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎08/28/2024 05:02 PM

Thanks Rushikesh for pointing me in the right direction. All working with one rule which can now provision many AD group roles. For anyone wanting to do the same

I setup the advanced query as per below which will grow as we onboard each role

Condition: adv query

a.statuskey=1 AND a.jobcodedesc LIKE 'Casual Lifeguard' AND a.customer is null

Action:

object type: XX Active Directory::memberof

object: CN=Role_${user.jobcodedesc},ou=abc,ou=efg,dc=internal

ticked all options after as I want it to be birthright, removed if they change roles and detective functionality.

This rule adds AD Group: ROLE_Casual Lifeguard

 

Copyright © 2024 Khoros, LLC