and more in a single search tool across platforms. Read the announcement here. |
09/22/2023 07:52 AM
Team,
We have gone through the Saviynt - Azure integration guide and noted that many entitlements can only be imported but cannot be provisioned.
https://docs.saviyntcloud.com/bundle/Azure-v23x/page/Content/Supported-Features.htm
During an initial discussion with the customer about the connector capabilities following questions came up.
1. Can the connector bring in "Azure Management Groups" ? it is not mentioned in the documentation
2. Can the connector be extended to provision more types of access? currently it says only 4 types are supported for provisioning
3. Why AADGroup is showing under Azure as well? (We have already integrated AzureAD and AADGroup is already imported part of that)
09/24/2023 11:21 PM
Hello @shibinvpkvr,
1. Can the connector bring in "Azure Management Groups" ? it is not mentioned in the documentation - No, It's not supported right now.
2. Can the connector be extended to provision more types of access? currently it says only 4 types are supported for provisioning? - Yes. It can be extended as it uses RESt conneector for provisioning usecases.
3. Why AADGroup is showing under Azure as well? (We have already integrated AzureAD and AADGroup is already imported part of that) - AADGroups are not getting imported as part of Azure Connector but get copied from the mapped Azure AD endpoint.
Thanks,
10/05/2023 11:10 AM
For #1 Access is granted to Azure resources at management group, subscription, resource group, and in the resources directly. Why would management groups be omitted? This is a huge gap. Can the connector be extended to include management groups?
10/06/2023 02:00 AM
Hello @chrismeisner,
Please create a enhancement with your requirement in the Saviynt's Ideas portal.
Thanks,
10/13/2023 07:43 AM
12/15/2023 09:29 AM
@sudeshjaiswal we are in process of setting up the connector (Azure connector) for our Azure tenant.
However, the connector requires below parameter.
SUBSCRIPTION ID | Represents a unique identifier of Azure subscription which grants you access to Azure services and to the Azure Resource Management Portal. |
Our production tenant has 90+ subscriptions under 10+ management groups. Wondering how we can provide subscription id in this case in the connector. Can we pass it comma separated?
Thanks
Shibin
12/19/2023 07:20 AM
@sudeshjaiswal @timchengappa any inputs from your side for the above question?
12/19/2023 09:48 PM - edited 12/19/2023 09:49 PM
Hello @shibinvpkvr,
For Each Subscription, Seperate connections needs to be created.
You can raised the enhancement to support the multiple subcription in single connections.
Thanks.
12/20/2023 02:10 AM
Do you mean to say that if I have 90 subscriptions in the tenant, then 90 connections and that many endpoints?! I was wondering then why subscription is configured as an entitlement type as well under the endpoint
01/11/2024 06:47 AM
Can we customize the attribute mappings for the azure accounts anywhere?
01/11/2024 01:11 PM
You can do in Azure AD Connector -> ACCOUNT_ATTRIBUTES
01/11/2024 01:27 PM - edited 01/11/2024 01:37 PM
Azure AD is a different endpoint, which has no issues. If I add attributes in Azure AD connector, the mappings are specific to Azure AD accounts. Azure accounts have a default mapping, out of which we don't see employeeid to correlate with users.
01/11/2024 07:08 PM
We are able to map accounts emp id to users emp id
{
"acctLabels": {
"customproperty1": "First Name",
"customproperty2": "Last Name",
"customproperty3": "Office Phone",
"customproperty10": "Account Status",
"customproperty11": "Employee ID",
"customproperty12": "Job Title",
"customproperty13": "User Type",
"customproperty14": "Directory Synced",
"customproperty16": "City",
"customproperty30": "Visibility"
},
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "userPrincipalName~#~char",
"displayname": "displayName~#~char",
"customproperty1": "givenName~#~char",
"customproperty2": "surname~#~char",
"customproperty3": "businessPhones~#~char",
"customproperty10": "accountEnabled~#~bool",
"customproperty11": "employeeId~#~char",
"customproperty12": "jobTitle~#~char",
"customproperty13": "userType~#~char",
"customproperty14": "onPremisesSyncEnabled~#~bool",
"customproperty16": "city~#~char",
"customproperty30": "visibility~#~char"
}
}
02/21/2024 07:12 AM
Hi Team,
We have also noticed that even for the supported entitlement type, the privileges(roles) are not added properly during reconciliation. The roles are not properly mapped to the entitlement types of users during reconciliation.
02/21/2024 07:14 AM
Can you elaborate with examples
02/22/2024 07:08 AM
@rushikeshvartak In Azure, the user gets a subscription S1 from a role r1 and the user has another role r2 as well. But in saviynt, after recon, the entitlement hierarchy shows r2 under subscription S1. It should be r1 ideally.
02/22/2024 08:59 PM
Role is AppRole Entitlement Type or Saviynt Role Object
03/01/2024 10:48 AM
@rushikeshvartak Azure role/privilege assigned to any account which will be reconciled as an entitlement into saviynt
03/05/2024 06:17 AM
@SUMAIYA_BABU Can you please share the screenshot of example from Saviynt and Azure (along with permission type in Azure) ?