and more in a single search tool across platforms. Read the announcement here. |
on 03/24/2023 11:24 AM
Consider a scenario where a retail organization uses a Database System where access to modify (update, delete, truncate, insert etc.) is considered to be of high risk. Therefore firefighter roles are implemented which provides write permissions for half hour time frame(default time frame) .
The task to insert some 1k new orders into the system without which orders cannot be taken out for delivery. Given your query execution might take some time , it is very important to use each minute out of those 30. Therefore , if you have to wait for scheduled jobs , say 15 minutes , you lose half of time waiting for your access and you might not be able to complete your activity in next 15 minutes . Achieving real time provisioning is very crucial in such scenarios.
N/A
V.5.5X and above
#Achieving real-time provisioning of access involves two factors:
1. Instant creation of tasks as soon as the request is submitted
2. Instant fulfillment/provisioning of access as soon as the task is created
#How to achieve instant creation of tasks?
In case of role based entitlement tasks creation(or tasks for standalone entitlements where startdate is present), one of the two can happen
#To achieve instant creation of tasks, there is a config available in global configurations ARS>home>request (depending on the label) as below :–
This config enables you to have tasks created even in case startdate is a future date. You can specify the time difference between current date and role start date till which you want to create tasks without running the EnterpriseRoleManagementJob. This especially helps you in case of firefighter access where the access granted is time bound and even a minute is crucial. If your EnterpriseRoleManagementJob is scheduled for every 15 mins, you do not have to wait for another 15 minutes for tasks creation , but you can have those created as soon as the request is approved.
Instant creation of tasks can be achieved with Enterprise roles and Application Roles as well . Enterprise Roles and Application roles also exhibit same technical behavior as firefighter role where you provide start date and end date. However, you might not have default time frame added in case of these type of roles but you can come across time bound scenarios where end users have explicitly selected a time difference of half hour or one hour between start date and end date.
#How to achieve fulfillment/provisioning of tasks?
To achieve real time provisioning we have a config 'Instant Provisioning' under security system which instantly provisions the access once you have the tasks created without losing time. Enable the below configuration to achieve the same.
Real time provisioning can be achieved with Enterprise roles and Application Roles as well . Enterprise Roles and Application roles also exhibit same technical behavior as firefighter role where you provide start date and end date . However, you might not have default time frame added in case of these type of roles but you can come across time bound scenarios where end users have explicitly selected a time difference of half hour or one hour between start date and end date.
#Further Reading:
For additional details on 'Instant Provisioning' , please refer to the below product documentation
https://forums.saviynt.com/t5/tkb/workflowpage/tkb-id/kb/article-id/199
https://forums.saviynt.com/t5/tkb/workflowpage/tkb-id/kb/article-id/200
what is default time for global configuration
The default time is 15 minute(s) in EIC.
I'm getting access denied error to shared resources:
https://forums.saviynt.com/t5/tkb/workflowpage/tkb-id/kb/article-id/199
https://forums.saviynt.com/t5/tkb/workflowpage/tkb-id/kb/article-id/200
But I have a question, we have enabled instant provisioning to complete the tasks for a disconnected application. Its working fine, But there is an issue if the remove account/access tasks generated from campaigns , its not happening(stays in pending state). Any idea why its happening only with campaign. Appreciate your prompt response.