AWS Setup Guide v7

Saviynt Security Manager v7
AWS Integration & Administration Guide

Edition notice
Note: This edition applies to version 4.4 of Saviynt Security Manager and to all subsequent
releases and modifications until otherwise indicated in new editions.
© Copyright Saviynt INC 2016
Saviynt Security Manager v4.4: AWS Setup Guide 2

Contents
1. ABOUT THIS DOCUMENT ________________________________________________________________________ 5
2. SAVIYNT STACK SETUP __________________________________________________________________________ 6
2.1 AWS POLICIES, ROLES AND INSTANCE USING AWSCONSOLE- CLOUDFORMATION TEMPLATE _________________________ 6
2.1.1 Login to AWS Console ____________________________________________________________________ 6
2.1.2 Create a stack using Cloud Formation Template. _______________________________________________ 6
3. ELASTIC SEARCH AND KIBANA STACK SETUP FOR USAGE LOGS ________________________________________ 11
HTTPS://S3.AMAZONAWS.COM/SAVIYNTCFTEMPLATES/AWS_KIBANA_SETUP_GUIDE.DOCX _____ 11
4. SAVIYNT SETUP _______________________________________________________________________________ 11
4.1 UPDATE EXTERNAL PROPERTIES FILE WINDOWS: (IF CENTOS CLICK HERE) _____________________________________ 11
4.2 UPDATE EXTERNAL PROPERTIES FILE CENTOS: ________________________________________________________ 18
4.3 CREATE AND CONFIGURE CONNECTION _____________________________________________________________ 23
4.4 DASHBOARDS ______________________________________________________________________________ 33
4.5 ANALYTICAL CONTROL VIOLATIONS AND ACTIONS ______________________________________________________ 33
4.5.1 Analytical controls:______________________________________________________________________ 33
4.5.2 Violations:_____________________________________________________________________________ 35
4.5.3 Enable Cloud trail log validation DC Action ___________________________________________________ 39
4.5.4 Performing DC Action for Multiple Violation _________________________________________________ 42
4.5.5 DC action Table ________________________________________________________________________ 45
4.6 CLOUD TRAIL LOGS: __________________________________________________________________________ 46
4.7 VPC FLOW LOGS: ___________________________________________________________________________ 52
4.7 PRIVILEGE ACCESS MANAGEMENT REQUEST _________________________________________________________ 54
4.8 PRIVILEGE ACCESS MANAGEMENT-ASSUME ROLE FROM CLI AND BROWSER____________________________________ 56
4.9 PRIVILEGE ACCESS MANAGEMENT-VIEW HISTORY______________________________________________________ 57
4.10 CONFIGURE PRIVILEGED ACCESS ROLES _____________________________________________________________ 59
4.11 CONFIGURATION FOR PREVENTATIVE CONTROL _______________________________________________________ 61
4.11.1 List of Preventative Rules _________________________________________________________________ 61
4.11.2 Modify Attributes of Preventative Rules _____________________________________________________ 61
4.11.3 Creation of Rules _______________________________________________________________________ 62
4.11.4 Making Rules Inactive ___________________________________________________________________ 64
4.12 CONFIGURE SMTP AND ADMIN EMAIL _____________________________________________________________ 64
5. CONFIGURE ACCESS REQUEST SYSTEM ____________________________________________________________ 66
5.1 OVERVIEW ________________________________________________________________________________ 66

5.2 CONFIGURE ACCESS REQUEST PAGE _______________________________________________________________ 66
5.2.1 Configure ARS Dashboard Page ____________________________________________________________ 66
5.2.2 Other ARS Configuration _________________________________________________________________ 67
5.2.3 Configure Entitlement Type Options ________________________________________________________ 68
5.2.4 Associate Dynamic Attributes to Endpoint ___________________________________________________ 70
5.3 CONFIGURE ACCESS REQUEST WORKFLOWS _________________________________________________________ 71

5.3.1 Associate Workflows to Applications _______________________________________________________ 75
6. CONFIGURE USERS, ACCOUNTS AND ENTITLEMENTS ________________________________________________ 76
6.1 OVERVIEW ________________________________________________________________________________ 76

6.2 USER ADMINISTRATION _______________________________________________________________________ 76
6.2.1 View User Details _______________________________________________________________________ 76
6.2.2 Import Users ___________________________________________________________________________ 77
6.3 ACCOUNT ADMINISTRATION ____________________________________________________________________ 83
6.3.1 View Accounts _________________________________________________________________________ 83
6.3.2 Import Accounts ________________________________________________________________________ 85
6.4 ENTITLEMENT ADMINISTRATION _________________________________________________________________ 90
6.4.1 View Entitlement Details _________________________________________________________________ 90
6.4.2 Import Entitlements _____________________________________________________________________ 91
ACCESS REQUEST SYSTEM (ARS) ______________________________________________________________________ 95
7. LOGGING IN AND OUT FROM SAVIYNT ACCESS REQUEST SYSTEM _____________________________________ 95
8. REQUEST ACCESS _____________________________________________________________________________ 98
8.1 SELF-REQUEST (REQUESTING ACCESS FOR YOURSELF) ___________________________________________________ 98

8.2 REQUEST ACCESS FOR OTHERS__________________________________________________________________ 104
8.3 REMOVE ACCESS FOR OTHERS __________________________________________________________________ 111
9. REQUEST HISTORY ___________________________________________________________________________ 114
10. REQUEST APPROVAL _______________________________________________________________________ 116
11. TASKS ___________________________________________________________________________________ 119
12. SET UP A DELEGATE ________________________________________________________________________ 120
ATTESTATION ____________________________________________________________________________________ 122
13. ATTESTATION CONFIGURATION ______________________________________________________________ 122
13.1 GENERAL CONFIGURATION ____________________________________________________________________ 122

13.2 USER MANAGER CERTIFICATION CONFIGURATION ____________________________________________________ 123
14. STATUS OF THE ATTESTATION ________________________________________________________________ 124
15. USER MANAGER CERTIFICATION ______________________________________________________________ 125
APPENDIX _______________________________________________________________________________________ 132
15.1 IMPORT JOB CONFIGURATIONS/SCHEDULING ________________________________________________________ 132

15.2 ACCOUNT IMPORT __________________________________________________________________________ 133
15.3 ACCESS IMPORT ___________________________________________________________________________ 134
15.4 SCHEDULE JOBS ____________________________________________________________________________ 136

1. About this Document
The AWS setup Guide for Saviynt Security Manager (SSM) describe step by step process to setup
AWS with Saviynt security manager
The guide is intended for system administrators who can perform deployment and system
configuration tasks and have a working knowledge of application servers, databases, task
management processes and business process workflows.
This guide can also be downloaded from the application. Navigate to the application by entering
either of the URL mentioned below on your browser
a. https://<public-ip-address>/ECM or
b. https://<public domain name>/ECM
Use the following credentials to login to the application and an initial random password which
needs to be changed on first login
a. userid – awsadmin
b. password – s<instance privateIPAddress without period>s
For ex. if the ec2 instance private IP address is 10.10.0.16 your password would be s1010016s
(go to AWS Console and select the EC2 instance to see its private IP Address)
Please ensure your browser does not block downloads.

2. Saviynt Stack Setup
2.1 AWS Policies, Roles and Instance using AWSConsole- CloudFormation Template
2.1.1 Login to AWS Console

Login to AWS Console using the following url and provide the details for the account,
username and password and click on Sign In
URL - https://<AccountID>.signin.aws.amazon.com/console
Account: Enter the 12- digit AccountID
User Name: Enter the username
Password: Enter the password
2.1.2 Create a stack using Cloud Formation Template.

1. Click on Cloud Formation

2. Click on Create Stack.
3. From “Choose a template” section, select the radio button “Specify an Amazon S3
template URL” and enter the Url of s3 where the json is presen
(public subnet for Windows:
https://s3.amazonaws.com/saviyntcftemplates/SaviyntAWSCFTemplate.json
Private subnet with NAT Windows:

https://s3.amazonaws.com/saviyntcftemplates/SaviyntAWSCFTemplate_private.json
public subnet for CentOS:

https://s3.amazonaws.com/saviyntcftemplates/SaviyntAWSCFTemplate_public_CentOS.json
Private subnet with NAT CentOS:

https://s3.amazonaws.com/saviyntcftemplates/SaviyntAWSCFTemplate_private_CentOS.json)
and click on Next .

If you have downloaded the SaviyntAWSCFTemplate.json on your local, select the radio
button “Upload a template to Amazon s3”, click on “Choose file” and browse to the location
of json file and upload it and then click on Next.
4. Enter the details for the foll parameters and click on Next
• Stack Name: Name to the stack

• Instance type: Select the EC2 Instance type you will launch(eg. M4.xlarge)
• KeyName: Select an existing EC2 KeyPair to enable RDP/SSH and initial web access
to your instance.
• NetworkCIDROther: Enter a network CIDR representing an address range that is
permitted to access the launched instance (i.e., 176.32.2.0/24). You may enter
0.0.0.0/0 if you don't know your address range. NOTE: This will make the instance
accessible to Internet which you can edit later in the AWS Console.
• NetworkCIDRRDP/ NetworkCIDRSSH: Enter a network CIDR representing an
address range that is permitted to RDP/SSH the launched instance (i.e.,
176.32.2.0/24). You can edit this later in the AWS Console.

• PublicSubnet: Select an existing public subnet ID where it will launch.
• VPC: Select an existing VPC ID that contains a public subnet that you want to launch
in (i.e. vpc-xxxxxxxx) .
5. Under the Options  Tags : You can optionally specify tags (key-value pairs) for your
stack. Then click on next.
6. On the review page, Check the “I acknowledge that this template might cause AWS
CloudFormation to create IAM resources” and click on Create.

7. Once you click on Create, you can see your stack with status CREATE_IN_PROGRESS.
8. Once the stack is created the status is changed to CREATE_COMPETE and you can
navigate to the “Outputs” tab to see the Roles and Saviynt Access url(which is used to
navigate to the application as mentioned in the section 1 About the document.)

9. You can also click on the “Resources” tab to see all resources created as part of Cloud
formation template. Copy the physical ID against SaviyntAWSRole which will be used for
Saviyntsetup. Ex: awscloudtemplate-Saviyntawsrole-12343443
3. Elastic Search and Kibana Stack setup for Usage Logs

Follow the instructions as part of this document.
https://s3.amazonaws.com/saviyntcftemplates/AWS_Kibana_Setup_Guide.docx
4. Saviynt Setup
4.1 Update External Properties File Windows: (if CentOS click here)
1. Select EC2 as shown below:

2. Select Running instances:
3. Select the instance created from the CF template and click on Connect.

4. Click on Download Remote Desktop File and save the RDP.
5. Click on Get Password
6. Click on Choose File and browse to the file containing the Key pair and click on Decrypt
password:

7. Note down the Password as shown below
8. Click on the RDP obtained in Step4 and enter the password obtained in Step7 and click
on OK.

9. Click on Yes in the pop up

10. Open the Externalconfig.properties file present in the foll location:
"C:\saviynt\Conf\externalconfig.properties"
Edit the foll lines.
aws.sns.topic.arn = <ARN of the SNS topic> Ex: arn:aws:sns:us-east-1:661222050851:MyNewTopic
aws.kibana.url=<Kibana URL that has been setup Ex: http://savkibana-elastics-7dk1s0t3mq8g-

1411724617.us-east-1.elb.amazonaws.com/ >
aws.kibana.vpc.url=< Kibana URL that has been setup for Flow logs http://flkibanat-elastics-
1fhsdxbgn4i23-1156049637.us-east-1.elb.amazonaws.com/>
11. Go to Services in the Remote desktop as shown:

12. Restart tomcat service:

4.2 Update External Properties File CentOS:
1. Select EC2 as shown below:
2. Select Running instances:
3. Select the instance created from the CF template.

4. Follow the instructions under “Transferring Files to Your Linux Instance Using
WinSCP” in the link below to connect to instance using WinSCP
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
5. Click on login by providing the username as root and pwd as the .ppk key.

6. Browse to the path /opt/saviynt/Conf as shown below and edit the
externalconfig.properties file

7. Open the Externalconfig.properties file present in the foll location:
"C:\saviynt\Conf\externalconfig.properties"
Edit the foll lines.
aws.sns.topic.arn = <ARN of the SNS topic> Ex: arn:aws:sns:us-east-1:661222050851:MyNewTopic
aws.kibana.url=<Kibana URL that has been setup Ex: http://savkibana-elastics-7dk1s0t3mq8g-

1411724617.us-east-1.elb.amazonaws.com/ >
aws.kibana.vpc.url=< Kibana URL that has been setup for Flow logs http://flkibanat-elastics-
1fhsdxbgn4i23-1156049637.us-east-1.elb.amazonaws.com/>

8. Save and close the file.
9. Refer to
“Connect using putty Starting a PuTTY Session” of this link
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
and connect as shown

10. Restart tomcat service:
execute the foll commands to restart tomcat :
Change directory
cd /opt/tomcat/apache-tomcat-7.0.68/bin
Stop tomcat
./shutdown.sh
Start tomcat
./startup.sh
4.3 Create and Configure Connection

1. Login to Saviynt Console  Open the below url replacing the PublicIP obtained in the
previous step
https://PublicIP/ECM Click on proceed to (Public-IP)). Since the application uses a self-signed

certificate, therefore the browser throws warnings, which can be ignored.

2. Application Login Steps
Use the following credentials to login to the application and an initial random password which
needs to be changed on first login
c. userid – awsadmin
d. password – s<instance privateIPAddress without period>s

For ex. if the ec2 instance private IP address is 10.10.0.16 your password would be s1010016s
(go to AWS Console and select the EC2 instance to see its private IP Address as seen in step2.3)
Once the random credentials are entered user is taken to the password reset screen as shown
below.
Enter details as shown below and click on Save
Username: awsadmin
Old Password: s<PrivateIPexcluding.>s
New Password:<New pwd>
Confirm Password :<New Pwd>

Once the password is reset. User can login with the Username awsadmin and the newly set
password

Steps to change Password – Saviynt application would force to change the password after
first login. After password change, relogin to the application with your new password.
After login to SSM, Navigate to Admin tab
3. Importing Users (Please follow steps 3 and 4 only if you wish to import users from
HR system, else skip to step 5)
Please refer to section 5.2.2 to import users in Saviynt.
4. Set Correlation rule:

Go to AdminSecurity SystemsEndpointsAWS as shown in the screen shot

Click on Edit against User Account Correlation rule
Select a column from Users Drop down and select a column from Accounts drop down.
Ex if username is selected from Users dropdown and name is selected from Accounts
dropdown. The correlation rule to map users and accounts would be username=name.
Click on Save.

Click on Update

5. Connection Details:
Go to Admin  Identity Repository  Connections  Connection List  click on the Connection

AWS
6. Enter the details of Connection AWS (the ones marked with * are mandatory)
• AWS_ACCOUNT_ID *: Enter the 12-digit Account ID of your AWS Account where Saviynt is
being installed

• ADMIN_EMAIL *: Depicts the default email address of admin user (can be updated) and
the monitoring email address for preventive rules
• AWS_STACK_ROLE_NAME *: The role name created as part of the stack (ex: Saviynttest-
SaviyntAWSRole-1OK4596SFTZ4R) Please refer to 2.2.1 Step 9. In the Resources Section you will find
SaviyntAWSRole.
• CREATEUSERS: Enables the creation of users as part of aws user accounts import. Enter Yes
or No here to enable/disable users creation as part of AWS User Account Import. If the users
need to be imported from HR systems, the setting value should be No. If the user accounts
are being federated to your AWS account, please reach out to Saviynt support at
[email protected] for further assistance.
• PREVENTATIVECONTROL_TURNED_ON: Enables/Disables Saviynt's Preventative Rules.

Enter Yes/No to enable/disable Saviynt’s preventative controls which sets the AWS Config
Recorder to ON in case of YES and OFF in case of NO. Currently preventative rules are
supported for AWS Objects belonging to US east region only. Enabling this rule will cause the
EC2 instances to be stopped, if they meet Saviynt’s preventative rules.
• If PREVENTATIVECONTROL_TURNED_ON is NOT SET to YES.

No changes happen to AWS Config.
• If PREVENTATIVECONTROL_TURNED_ON is SET to YES

The following changes occur in AWS Config.
o Recording is set to ON
o Creates Config related objects and attaches to AWS Config
▪ S3 Bucket: saviynt-config-bucket-12DIGITACCOUNTID
▪ SNS Topic: Saviynt-Config-Topic
o Attaches the Role associated with EC2 instance to the AWS Config Role.
o Create a subscription to Saviynt's HTTP listener in the SNS Topic Saviynt-
Config-Topic.(this will add a subscription in SNS topic with pending
confirmation state for the Saviynt's HTTP listener).
o SNS sends notification to Saviynt's HTTP listener for subscription created.
o Saviynt's HTTP listener reads the confirmation token and sends the
confirmation back to SNS. (this will confirm he subscription in the SNS)
o Create Cloud Watch Event Rules to monitor additional resources and pushes
the events to the same SNS configured for Config in all the regions

• If PREVENTATIVECONTROL_TURNED_ON is SET to NO after the AWS Config changes
have happened from Saviynt.
The following changes occur in AWS Config.
Recording is set to OFF.
• JUMPBOX_IP_ADDR_RDP: This setting could be used to configure Saviynt’s preventive rule

of preventing workloads from being accessed from non-jump boxes. Depicts the IP address
of Jump Boxes (Bastion Hosts) from which RDP connections should be opened from. Enter a
list of your Jump Box IP Address to be enforced by the Preventive Rules as comma separated
values. For ex. 166.170.38.254/32,54.23.56.16/32
• JUMPBOX_IP_ADDR_SSH: This setting could be used to configure Saviynt’s preventive rule of

preventing workloads from being accessed from non-jump boxes. Depicts the IP address of
Jump Boxes (Bastion Hosts) from which SSH connections should be opened from. Enter a list
of your Jump Box IP Address to be enforced by the Preventive Rules as comma separated
values. For ex. 166.170.38.254/32,54.23.56.16/32
• EC2_TAGS_PROD: This setting could be used to determine the production instances from
the tags associated with. Saviynt enforces preventive Rules based on these tag values.
Example Values could be Prod, Production
• VPCID_PEERING: Enter this value, for Saviynt to define and detect VPC peering violations.
Depicts the VPC ID which serves as the hub for VPC Peering, which would then be used as an
input by Saviynt to define the list of VPCs not peered with this VPC.
Example value vpc-12w12w12
• VPCID_APPROVED: Enter this value, for Saviynt to define and detect VPC Launch violations.
Depicts the VPC ID which serves as the acceptable VPC in which the instances should be
launched, which would then be used as an input by Saviynt to define the list of EC2 instances
which were not launched in this VPC. For ex. vpc-12w12w12.
• CROSS_ACCOUNT_ROLE_ARN : Keep this value blank.
7. Click on Save and Test Connection button.

8. Click on Yes to Import the data from AWS which in turn would import accounts, access,
run the analytics and create dashboards. Click on No to just save the details without
Import.
9. Progress of the import can be viewed by navigating to Job control panel. Please note, the
import progress shows after a few seconds on the panel.
4.4 Dashboards
4.5 Analytical control violations and actions
4.5.1 Analytical controls:

Goto AnalyticsAnalytics History and click on any tab say EC2.
All the analytical controls under this category will be listed indicating how many violations are
present

Click on any control say EC2 security groups with open RDP
It will take you to the screen showing all EC2 instances having this violation:

You can filter the result set based on filters available in the left menu:
4.5.2 Violations:
Actions can be taken against violations on Analytical controls as shown below.
For ex for EC2 instances which have Open RDP Analytical control which lists all EC2 instances having
this violation we can perform a STOP action on one or all of these instances.
1. Go to Analytics -> Analytics History of the Saviynt portal

2. Under Analytics History tab click on EC2 Category and type the name of the control in the
search tab.
3. Click on the particular control and go to Run History -> Open Total Conflict link of the latest
Run Time

4. Search for the violation of the EC2 instance against which you want to take an action and click
on the action tab of that particular EC2 instance and select “Stop EC2 Instance” Action.
5. In Aws Console the particular instance is running before the DC action

6. Perform the DC action in the Saviynt portal by clicking on the Actions -> Stop EC2 Instance
and give the reason for the action under Comment section and save.
7. Once you click on save particular action will be performed against the EC2 and you can see
the Particular instance will be stopped in the AwS Console.

4.5.3 Enable Cloud trail log validation DC Action
This Particular DC Action will enable the Cloud trail log Validation from Saviynt portal if its disabled
in the AWS environment.
1. Go to Analytics -> Analytics History of the Saviynt portal
2. Under Analytics History tab click on Cloud Trail Category and type the name of the control in
the search tab.

3. Click on the particular control and go to Run History -> Open Total Conflict link of the latest
Run Time
4. Search for the violation of the Cloud Trail against which you want to take an action and click
on the action tab of that particular Cloud Trail and select “Enable Cloudtrail Validation” Action.

5. In AWS console you can see particular Cloudtrail has disabled log validation before action
6. Perform the DC action in the Saviynt portal by clicking on the Actions -> Enable Cloud Trail
Validation and give the reason for the action under Comment section and save.

7. Once you click on save particular action will be performed against the Cloudtrail and you can
see the Log file validation has been enabled successfully.
4.5.4 Performing DC Action for Multiple Violation

We can perform DC action for multiple violations at a single button click which applies the action
for all Entitlements.

1. We will go and select specific analytical control under the Analytical history section
2. Under the Run History tab click on the Total Conflict of the most recent run time
3. Now if you want to perform the action like remove anonymous access for all the listed S3
buckets then we can apply that action at once for all rows.
Go to Selected Action -> Revoke S3Bucket Anonymous Access

4. Once you click on the action give the justification why you are performing this action for all
resources and click Save button. All the anonymous access will be removed for all the listed
S3 bucket at a go and it will reflect in AWS console.

This functionality can be performed on other DC enabled Analytical controls.
4.5.5 DC action Table

The below table list the other DC actions which are available in the Saviynt
Detective Controls AWS Recourse Description Action
EC2 Security Groups – EC2 Instance EC2 Instance will be stopped in the AWS Stop EC2
Open SSH Console Instance
Unused Security Groups Security Group Deletes the particular Security Group in AWS Delete Security
Group
Disabled EC2 termination EC2 Instance Termination Protection will be enabled for Enable
protection the particular EC2 Termination
Protection
Unused Elastic IPs Elastic IP The unused Elastic IP will be deleted in AWS Delete Elastic IP
Underutilized Load ELB The Under Utilized Load Balancers will be Delete ELB
balancers deleted
High Privileged IAM Users IAM User Dissociate User from Policy in AWS Dissociate User
from Policy
IAM Users with Non- IAM User Removes the Non Rotated access key from Delete Access
rotated Access Keys the User Key of User
EBS Volumes Non- EBS Volume Detach Volumes from the EC2 instance in Detach Volumes
Encrypted AWS
S3 Buckets with S3 Bucket Removes the Anonymous access from the Revoke S3Bucket
Anonymous access particular bucket Anonymous
Access
VPC not peered with VPC The peering will be deleted in the AWS Remove VPC
Central VPC Peering
S3 Buckets for which S3 Bucket The Logging will be enabled for the S3 Enable S3
logging is disabled Bucket Logging
Encryption keys with IAM Enables the Rotation of the Encryption Key Enable Rotation
rotation disabled
Disabled Trail Cloud Trail Enables the Cloud Trail which were disabled Enable Trail
for regions

4.6 Cloud Trail Logs:
Cloud trail logs of AWS can be viewed pictorially from Saviynt
1. We can go to Kibana dashboards by navigating to the Analytics -> CloudTrail Logs
2. Once you click on the Cloud trail it will take you to the Kibana Dashboard link and for the first
time login an authentication page pops up as shown below where you need to provide the
Kibana credentials used during setup

Once the login is successful you will be directed to the Kibana dashboard as shown below.

3. Where you can select the Dashboards which you want to view by clicking on the Folder button
in the Right hand corner
4. Once you select a specific dashboard for example AwScloudTrail_IAM then that particular
dashboard will be loaded with all the related events as shown

5. You can do a quick filter on time by selecting the quick optionas shownbelow and choosing
the required option
6. If you want to search for events in particular time range, then we can use the Absolute
window. When you click on the Absolute button on the left a window pop up as shown where
you can give the range.

7. To search for events click on Discover and specify the value to be filtered in the search box
within the “.

8. Also you can customize your seach by adding the columns which you want to see by just
clicking on the add button against each column name as shown in the screen shot
9. We can use AND or OR in search For example, we can search a specific IP address with
particular event name by using AND condition so that it will list those values as shown.

Note: Both “AND” and “OR” operators are case sensitive.
10. We can use an OR operator to list a condition which matches either of the values. For example
I have used OR for IP address and event name so it list the events which matches one of those
values as shown.
4.7 VPC flow logs:

1. We can go to VPC flowlogs dashboards by navigating to the Analytics -> VPC Flow Logs

2. Once you click on the VPC Flow Logs it will take you to the Kibana Dashboard link and for the
first time login an authentication page pops up as shown below where you need to provide
the kibana credentials.

Once the login is successful you will be directed to the flow log dashboards as shown below.
4.7 Privilege Access Management Request

1. Click on 'Request Firefighter Roles' from Access Request System homepage
2. Select the User for whom you want to request firefighter role and click on 'Next'

3. Add the AWS Role by clicking on Add to cart and then click on Checkout
4. Enter the DateTime and Business Justification. You can also enter additional comments in
the “Comments” field. Click “Next”.

5. Screen after request is being submitted
6. Now click on Request History from Left Panel to view your request.
4.8 Privilege Access Management-Assume Role from CLI and Browser

The user who was provided Fire fighter access can either assume the role mentioned in the screen
shot below (RequestHistory TasksEntitlement Value) from Browser using Switch
Role(http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html)
option or from CLI using Assume Role statement (
http://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html)

4.9 Privilege Access Management-View history
7. Click on Request ID which will open up the Request page.
8. Click on Show Usage Browser which will redirect you to Kibana Dashboards after logging
into Kibana

The widget Assume role via Command Line shows all assume role statements performed
via CLI
The widget Switch role via Browser shows all SwtichRole actions performed via Browser
The widget Privilege Activity shows all actions performed by the user from Browser in the
default view which has filter of <user> AND <RoleName>
The widget Privilege Activity shows all actions performed by the user from CLI if the filter is
changed to Access key ID returned in the first widget as highlighted above.

If there are multiple Access key id’s they can be combined with OR operator.
4.10 Configure Privileged Access Roles

1. Go to Admin  Roles  Select the Role to be modified and click on Edit.
2. Modify the attributes required like Description, Default Timeframe etc and click on Update.
(Please do not modify the Role Names of Fire Fighter Roles).
3. Default Timeframe-It is the maximum duration for which a Role should be active
which is in hours and is set to 0 hours by default. This can be modified to any value.
Ex: If the value is 8 it means that any user who is given access to this Role will be able to
use assume the Role for a maximum duration of 8 hours after which the access of that role
is revoked from the user.

4. Go to the versions tab: Select the latest version (i.e the version containing the changes)
and click on Send for Approval.
5. Using the Role Owner’s account go to ARS  Request Approval.
6. Click on the Role and then click on Approve/Reject to Approve changes or Reject changes.

4.11 Configuration for Preventative Control
4.11.1 List of Preventative Rules

1. Go to Admin->Preventative Rules->Infra Access Rules to see the list of all Preventative
Rules.
4.11.2 Modify Attributes of Preventative Rules

1. To modify attributes of Preventative Control Rules for all rules like notification email
address, Jumpbox IP etc. refer to the AWS Connection optional parameters section
2. To modify attributes of a particular Preventative Control Rule:

• Go to Admin->Preventative Rules->Infra Access Rules and click on Edit against the
rule to be modified.
• Click on Remove to Remove an action.
• Click on Add Action to add new action-
Action for Infra Access Rule: Select Action required from the drop down
Possible values:
Notify as Email: A mail is sent to the mail id specified in the input indicating that
the rule was triggered.
Stop EC2 instance: The instance is stopped with tags updated as indicating the rule
that triggered this action “Stopped as per Saviynt's Preventative Rule -Current Time, Rule
name: <name of rule>”.
• Click on Status Drop down to make it Active or Inactive
• Click on Save.
4.11.3 Creation of Rules

1. Go to Admin->Preventative Rules->Infra Access Rules->Action-> Create Infra Access Rule
as shown in the screenshot

2. Enter the following details:
• Enter Rule Name: <Name for the Rule>
• Select Control: Select a control from the Select Control drop down
• Action for Infra Access Rule: Select Action required from the drop down
Possible values:
Notify as Email: A mail is sent to the mail id specified in the input indicating that the
rule was triggered.
Stop EC2 instance: The instance is stopped with tags updated as indicating the rule that
triggered this action “Stopped as per Saviynt's Preventative Rule -Current Time, Rule name:
<name of rule>”.

3. Click on Save.
4. Now navigate to Infra Access Rule tab and search for the rule created above using the
Searchbox as shown in the screen shot. You will be able to see the rule as Active.
5. If AWS Config recorder is turned on as seen in Step 3.1

PREVENTATIVECONTROL_TURNED_ON, the rule will get triggered in case of any matches
and corresponding action will be taken. Ex: If rule was created for Security Group with
Open RDP and if the AWS configuration recorder is ON (i.e.
PREVENTATIVECONTROL_TURNED_ON attribute is YES), then if there is any Security
Group created in AWS console with open RDP the rule will trigger and the corresponding
action selected will be executed. If AWS Config recorder is OFF (i.e.
PREVENTATIVECONTROL_TURNED_ON attribute is NO) none of the rules will be executed.
4.11.4 Making Rules Inactive

1. Making all rules inactive: Refer to bullet points in Step 3.1
PREVENTATIVECONTROL_TURNED_ON to turn AWS Config recorder Off by setting
attribute PREVENTATIVECONTROL_TURNED_ON to NO.
2. Making a particular rule inactive: Refer to Step3.2.2_Point2 to modify attributes of
Preventative Rule and edit the field.
4.12 Configure SMTP and Admin email

1. SMTP: Go to Admin  Configure  SMTP and provide information for the following text
boxes as shown in the screen shot:
• SMTP Server Name
• SMTP Port
• SMTP User Name
• SMTP Password

Rest of the fields are prepopulated.
Click on Save.
2. Admin email: Go to Admin  Users awsadmin
3. Locate the field Email and enter a valid Email address as shown in the screen shot and click
on Update at the bottom of the screen.

5. Configure Access Request System
5.1 Overview
This section provides details of all steps required to configure the Access Request System module.
Details of the below tasks are included
1. Configure request page

2. Create and configure workflow
5.2 Configure Access Request Page
5.2.1 Configure ARS Dashboard Page

This section provides details of how to configure the different options in the ARS dahsboard page
1. Go to ADMIN > Configure > Basic configuration

2. Select the checkboxes for ‘Create new request access’, ‘Request history’, ‘Request access
for others’, ‘Setup Delegates’, ‘View Existing Access’ and ‘Request Approval’ to show
these options in the dashboard.

5.2.2 Other ARS Configuration
Parameter Description
Request made in ARS will expire after number of days selected
Expired Request After
from the dropdown
Notify Email templates Once the request expires, an email will be sent to the appropriate
When Request Expires user in a format as mentioned in selected email template
Delegate Email The email to be sent when a delegate is set up in ARS is

template configured here
Task Complete Email Once the task is marked as COMPLETE, an email will be sent to
Template the appropriate user in a format as mentioned in selected email
template from the dropdown
True - Filters the Entitlements without owner for request and
Show Entitlements
displays in the dropdown while requesting access in ARS page
without owner for
False – Entitlements are not filtered while requesting access in
request
ARS page
Enable Securonix for Part of configuration to integrate with Securonix web services
Provisioning
On user termination, the Saviynt Security Manager solution will

Lock the account in target application,
User Termination
Move account to terminated user group in target application,
Update validity date of account in target application,
Remove all entitlements assigned to account in target application.

Default Business Default Business Justification will be auto populated in Step 3 of
Justification for ADD Request Access
Request
Default Business Default Business Justification will be auto populated in Step 3 of

Justification for Remove Request Access
Request
Show User Attribute User attributes selected here will be displayed in ARS page while
While Request requesting for an access
Enable - User without a manager can request for access in ARS

Allow request without page
Manager Disable - User without a manager cannot request for access in
ARS page
Show Entitlements with Only Entitlements of the selected SAV Level from the dropdown
SAV Level can be requested
Entitlement Filter for Query to filter the entitlements based on the risk level to evaluate
SOD SOD while requesting for the entitlement in Request Access
Query for Entitlements Filters the requestable Entitlements using a query
Business Justification Business justification at Request level or each SOD level.

required
User attributes selected will the displayed in request history in

Show User Attributes in ARS
Request History
Define Delegate Query Users are restricted as to whom they are allowed to delegate
using a query
Mandatory Fields in Users fields that are mandatory while Registering a User
Register User
Show Fields in User User fields that are visible while Registering a User
SystemUsername Pattern for SystemUsername generation
generation Rule
5.2.3 Configure Entitlement Type Options

Entitlements refer to any type of access associated to a security system. For example roles and
authorization objects for SAP systems, groups for Active Directory etc. The entitlement type tab
under each of the endpoints can be used to configure properties for each of the entitlement types

associated to the endpoint. These settings define the options that will be shown to the end user
on the access request pages.
For each of the endpoints, provide the below additional details in tab ‘Entitlement type’
Entitlement type The entitlement types that are being used in client system
None: This attribute will not be displayed on the request screen
Drop Down (Single): This attribute will be displayed as a drop
down and end users will be only allowed to select one value. The
list of values will be displayed based on the data imported for the
resources and end-point
List Box (Multiple): This attribute will be displayed as a list
value and end users will be allowed to select multiple values. The
Request option list of values will be displayed based on the data imported for the
resources and end-point
Shown But Not Request Single: This attribute will be shown
however end user will not be able to request the same.
Shown But Not Request Multi: This attribute will be shown
however end user will not be able to request multiple values.
Table: This attribute will be displayed as a table of values and
end users will be allowed to select multiple values.
This is used to setup a relationship between attributes and their
Hierarchy
values
This is used to mark an attribute as mandatory during the request
Required
process.

5.2.4 Associate Dynamic Attributes to Endpoint
Next step step in ARS configuration is the configuration of dynamic attributes for endpoints. For
eg dynamic attributes can be UserGroup and TimeZone. Dynamic attributes are attributes that
do not exist in the target system but are required to be filled in during the request process. These
could be additional attributes required by the provisioners or approvers. The Dynamic Attributes
tab under each of the endpoints can be used to configure properties for each of the dynamic
attributes associated to the endpoint.
For each endpoints, Go to the Dynamic Attributes tab, open the Action drop down, select ‘Add
Attributes’ and provide the below values
Attribute name Name of attribute
Number: Requires user to enter a numeric value during run-time
Boolean: Boolean has True / False as specific values which you
can assign to the attribute
Attribute type
String: Requires user to enter a string value during run-time
Enum: Can hold multiple values
Multiple select: Can hold multiple values
Depending upon the type of attribute, if it is configured as
Values
dropdown, you will have to add all possible values for selection
Default values Default value
Mapping of dynamic attributes to the actual column names in the
Accounts column
database table to save the user inputs
Required Required/Not required

5.3 Configure Access Request Workflows
Workflows define the business process flows/approvals that will be followed in the ARS process.
These workflows are associated to the security systems as detailed in section 3.2
1. To create a new workflow, click on the Create / Edit Workflow workflow tab.
2. The workflow editor opens up with the list of existing workflows (if any).
3. Click on the new button. A blank pane opens up
4. Enter the name and type (Parallel/Serial) of the workflow you would like to create
5. To begin a workflow, simply drag the start module from left pane to the middle pane

Drag and drop the Access Approval module from left pane to middle pane. Connect the outgoing
node of start to the incoming node of Access Approval. The Access Approval module is always
the second module of the workflow. Once the request is created, it is sent to the role owner for
approval if this module is present.
• To use this module, drag and drop the Access Approval module from left pane to
middle pane.
• Whom to Send Request parameter defines who the requests are sent to for approval
• A name must be given to this module, which shows up as the activity name during
request approvals.
• Email template can be selected from drop down for notification and reminder.
• Notification email is sent as soon as the Access Approval step is reached during
request approvals.
• Reminder email is sent after the specified time (in minutes or days).
• The three outgoing nodes at the bottom are for grant, reject and escalation
respectively.
• Assign to Secondary Owner if the Requestee is Primary owner -
• Assign to Manager if the Owner is the Requestee – If the user requesting for access
is the owner of the role, then the approval process is assigned to the user’s manager
• Include Remove Access – The same task can be used for removing access as well

6. Drag and drop grant access and reject access module from left pane to middle pane.
Connect the grant node of Access Aapproval to grant access and reject node to Reject
Access modules.
Grant Access module represents the approved access after which task is created. It is always
placed after all the approvals have been completed.
• To use this module, drag and drop the grant access module from left pane to middle
pane.
• A name must be given to this module for reference.
• Email template can be setup to send out email for each approved item.
• Connections from last approval accept nodes are joined to its incoming node
• The only outgoing node always goes to the end module.
Reject Access module: Reject Access module represents the rejected access for which tasks
are not created. It is always placed after all the approvals have been completed.
• To use this module, drag and drop the reject access module from left pane to middle
pane.
• A name must be given to this module for reference.
• Email template can be setup to send out email for each approved item.
• Connections from all the rejects nodes are joined to its incoming node

• The only outgoing node always goes to the end module.

7. Drag and drop end module from left pane to middle pane. Connect the outgoing nodes of
grant access and reject access to end module.
8. After making any changes to workflow, always load workflow by clicking on ‘Load Workflow’
under the Workflow menu on the left hand side of the screen.
5.3.1 Associate Workflows to Applications

Please refer to section 3.2 on how to associate the workflows to security systems.

6. Configure Users, Accounts and Entitlements
6.1 Overview
This section provides details of all User, account and entitlement administration
• User Administration
• Account Administration
• Entitlement Administration
6.2 User Administration
6.2.1 View User Details

1. To view the list of users in the Saviynt Security Manager, go to ADMIN>Identity
Repository> Users
2. Click on the user name to view details

6.2.2 Import Users
Import of users into Saviynt Identity repository can be done in 3 ways
Import Users from a File
1. Go to Admin>IdentityRepository>Users and click on the “Action” dropdown and choose

Upload User.
2. This opens a pop up to choose the csv user file to upload and Click on the “Upload and
Preview” button
3. Upload user and preview page allows you to map the user file fields to the database user
table fields.Map the fields and click on “Import Now” option to import the users into Saviynt
Security Manager Identity repository

Select CSV file click on upload preview

Import Users using a Job
1. Place the Users csv file in C:/saviynt/Import/DataFiles directory

2. Place the schema file mapping the user details between the csv file and the database user
table fields in C:/saviynt/Import/SAV directory
3. Go to Admin>JobControlPanel>Schema>SchemaBasedUsersImport Job. Click on the “Add
New Job” which opens a pop up allowing you to create a new instance of the job.
4. Once you created a new instance of the job, Click on the Schema based Users Import to
view the job you created. Click on the “Action” button to start the job.
5. Once the job executes, the users will be imported into Saviynt Security Manager Identity
repository

Import Users using a Database Connection
1. In this type of User import, direct connection is made to the client database to pull the user
details into Saviynt Security Manager database.
2. Go to Admin>Identity Repository> Connections. Click on the “Action” dropdown to “Create
Connection Type” which opens a new page to enter the connectiontype name and
attributes as comma seperated values. Click on “Save” to save the connection type details
entered which is viewable in Connection Type List.
Connection” which opens a new page to enter the connection details. Click on the
“ConnectionType” dropdown and choose the ConnectionType created in step 1, which
displays the attributes given in the Connection type. Enter all the values to be entered and
Click on “Save” to save the connection details.
4. Place the schema files mapping the user details from client database user table to Saviynt
database user table in C:/saviynt/Import/Datafiles/xmlschemaforextranaldbimport
directory
5. Go to Admin>JobControlPanel>Database>UserImportFulljob. Click on the “Add New Job”
which opens a pop up allowing you to create a new instance of the job.
6. Once you created a new instance of the job, Click on the UserImportFulljob to view the job
you created. Click on the “Action” button to start the job.
repository

6.3 Account Administration
6.3.1 View Accounts

1. To view the list of accounts in the Saviynt Security Manager application, go to
ADMIN>Identity Repository> Accounts
Note: A single user may have multiple accounts

2. Click on the accountname to view the user details.

6.3.2 Import Accounts
Import of Accounts into Saviynt Identity repository can be done in 3 ways
Import Accounts from a File
1. Go to Admin>IdentityRepository>Accounts and click on the “Action” dropdown and choose

Upload Account.
Preview” button
3. Upload Account and preview page allows you to map the account file fields to the database
accounts table fields.Map the fields and click on “Import Now” option to import the accounts
into Saviynt Security Manager Identity repository

Import Accounts using a Job
1. Place the Accounts csv file in C:/saviynt/Import/DataFiles directory

2. Place the schema file mapping the account details between the csv file and the database
accounts table fields in C:/saviynt/Import/SAV directory
3. Go to Admin>JobControlPanel>Schema>SchemaBasedAccountsImport Job. Click on the
“Add New Job” which opens a pop up allowing you to create a new instance of the job.
4. Once you created a new instance of the job, Click on the Schema based Accounts Import
to view the job you created. Click on the “Action” button to start the job.
5. Once the job executes, the users will be imported into Saviynt Security manager Identity
repository

Import Accounts using Database Connection
1. In this type of Accounts import, direct connection is made to the client database to pull the
account details into Saviynt database.
Connection Type” which opens a new page to enter the connectiontype name and attributes
as comma seperated values. Click on “Save” to save the connection type details entered
which is viewable in Connection Type List.
4. Place the schema files mapping the accounts details from client database user table to
Saviynt database accounts table in
C:/saviynt/Import/Datafiles/xmlschemaforextranaldbimport directory

5. Go to Admin>JobControlPanel>Database>AccountImportFulljob. Click on the “Add New
Job” which opens a pop up allowing you to create a new instance of the job.
6. Once you created a new instance of the job, Click on the AccountImportFulljob to view the
job you created. Click on the “Action” button to start the job.
repository

6.4 Entitlement Administration
6.4.1 View Entitlement Details

1. To view the list of entitlements in the Saviynt Security Manager, go to ADMIN>Identity
Repository> Entitlements
2. Search for the entitlement you would like to update and click on the entitlement name
to open the details. Update the attributes and click on Update

6.4.2 Import Entitlements
Import of Entitlements into Saviynt Security Manager Identity repository can be done in 2 ways
Import Entitlements from a File
1. Go to Admin>IdentityRepository>Entitlements and click on the “Action” dropdown and

choose Upload Entitlement.
Preview” button
3. Upload Account and preview page allows you to map the Entitlement file fields to the
database Entitlement_values and Entitlement_types table fields.Map the fields and click on
“Import Now” option to import the entitlements into Saviynt Security Manager Identity
repository

Import Entitlements using a Database Connection
1. In this type of Entitlement import, direct connection is made to the client database to pull
the Entitlement details into Saviynt database.
Connection Type” which opens a new page to enter the connectiontype name and
attributes as comma seperated values. Click on “Save” to save the connection type details
entered which is viewable in Connection Type List.
4. Place the schema files mapping the accounts details from client database entitlement table
to Saviynt database Entitlement_values and Entitlement_types table in
C:/saviynt/Import/Datafiles/xmlschemaforextranaldbimport directory
5. Go to Admin>JobControlPanel>Database>EntitlementValuejob. Click on the “Add New Job”
which opens a pop up allowing you to create a new instance of the job.
6. Once you created a new instance of the job, Click on the EntitlementValuejob to view the
job you created. Click on the “Action” button to start the job.
repository

Access Request System (ARS)
7. Logging in and Out from Saviynt Access Request System

This scenario describes how to log in and out from the Saviynt Access Request System. Use a
web browser to access the login page. You can establish either a secure (HTTPS) or unsecure
(HTTP) connection to the Access Request System.
Use the Access Request System Login page URL that is provided by your site administrator. The
URL contains settings that were used when the Access Request System was installed and
configured. For example, the URL might be:
• http://hostname:port/ECM
• https://hostname:port/ECM
This URL is made up of:
• The name of the host system http://hostname that runs the Access Request System.
hostname is the name or IP address of the system where your product is installed.
• The port number of the Access Request System. For example, 8080.
• The context for the Access Request System. This part is always the same: /ECM
Follow these steps to log in or log out the Access Request System
1. Enter the Access Request System URL in your web browser. For example, enter:
http://your_co.com:8080/ECM/
2. Enter your user name in the User ID field.
3. Enter your password.

4. Click Log in to open the Access Request System
Note: Login errors can occur for reasons, which include:
• Either the user name or password is not specified. Both of these fields are
mandatory.
• The specified user name and password do not pass the authentication process.
• A network communication error occurred. When the login process fails, an error
message is displayed. Log in to the Access Request System again to correct any
login errors.
5. Click Log Out when you are done with your tasks. When you log out the Access Request
System, you are redirected to the Login page. For security reasons, log out after you
complete your session.
6. After successful login, you will be shown Access Request System home page

7. List of available items:
An administrator typically configures the access to resources on a service based on the

need for a particular user group.
• Request Access: Submit requests for new/modify/remove account

• View Existing Access: View your current access for an application
• Setup Delegates: Set up another person as your delegate
• Change Password: Change the Saviynt application or connected application
password
• Request History: View history of your requests
• Request Approval: Provide approval for pending requests
• Request Access For Others: You can request access for people reporting to you
• Remove access for others: You can request to remove access for others
• Pending Tasks: View all tasks assigned to you
• Register User: On-board a new user to Saviynt
• Badge: Request for a new badge or asset management

8. Request Access
Saviynt Security Manager allows users and administrators the ability to request and manage
access to resources such as applications, roles, shared folders, email groups etc. Depending upon
the configured view, you can edit and delete the access for yourself and others. A wizard driven
user interface where users can process new access such as accounts, application entitlements,
role and group memberships etc.
8.1 Self-Request (Requesting access for yourself)

This scenario describes how to use Access Request System to provide you access, such as role
membership, accounts and groups. The wizard based user interface provides a unified catalog
of all application access that you can use.
Use the Access Request System to request one or more accesses for yourself from the unified
catalog of accesses. Access Request System supports batch requests by building up a list of
items to request before you go to the next step. For example, you move into a new role, and
you require access to multiple systems or applications.
1. Log on to the Access Request System

2. To initiate the account request process, you can click on “Request Access” button on the
home page
3. Search the application that you want to request access for. After searching, check the
available actions:
a. Add to cart: This will request to add a new account for the selected application

b. Remove account: This will request to remove the account to access the application
c. Modify existing account: This will allow you to modify your existing access to the
application
4. Items are added to the cart once you make the selection
5. Click on 'View Cart' to check what has been added to the cart so far

6. Once clicked on 'View Cart' below window pops up showing cart items.
7. Once you have made all the selections click 'Checkout'.

8. Entitlements Selection: Use the right and left arrow buttons to add new entitlements or
remove existing entitlements.
9. Click entitlements, new window will pop up showing Entitlement, Tcode tab.

10. Click the “Next” button to go to the next screen.

11. Enter the “Business Justification” which is a required field. You can also enter additional
comments in the “Comments” field (optional). Click “Submit” to submit the request for
Approval.
12. Click “Submit” to submit the request for Approval

13. Click on ‘View Status’
14. In the Task History section at the bottom, check the ‘Assignee’ to find out who is the
current approver of the request.

8.2 Request Access for Others
This scenario describes how to use Access Request System to provide you access, such as role
membership, accounts and groups. The wizard based user interface provides a unified catalog
of all application access that you can use.
Use the Access Request System to request one or more accesses for others from the unified
catalog of accesses. Access Request System supports batch requests by building up a list of
items to request before you go to the next step. For example, you move into a new role, and
you require access to multiple systems or applications.
1. Click on 'Request Access for Others' from Access Request System homepage

2. Select the User and click on 'Next'
3. Search the application that you want to request access for. After searching, check the
available actions:
a. Add to cart: This will request to add a new account for the selected application
b. Remove account: This will request to remove the account to access the application
c. Modify existing account: This will allow you to modify your existing access to the
application

4. Items are added to the cart once you make the selection
5. Click on 'View Cart' to check what has been added to the cart so far

6. Once clicked on 'View Cart' below window pops up showing cart items.
7. Once you have made all the selections click 'Checkout'.
8. Entitlements Selection: Use the right and left arrow buttons to add new entitlements or
remove existing entitlements.

9. Click entitlements, new window will pop up showing Entitlement, Tcode tab.

10. Click the “Next” button to go to the next screen.

11. Enter the “Business Justification” which is a required field. You can also enter additional
comments in the “Comments” field (optional). Click “Submit” to submit the request for
Approval.
12. Click “Submit” to submit the request for Approval

13. Click on ‘View Status’
14. In the Task History section at the bottom, check the ‘Assignee’ to find out who is the current
approver of the request.

8.3 Remove Access for Others
Based on your permissions, you can edit or delete the accesses in the Access Request System
for others. The initial user interface page is based on the permissions that you are granted.
1. Log on to the Access Request System

2. Click on 'Remove Access for Others' from ARS homepage

3. Select the user whose complete access needs to be removed.
4. User's Access has been removed as shown below.

9. Request History
This scenario describes how to view the status and details of requests that are submitted from the
Access Request System
1. To view the status of your request, you can use the “Request History” option available in your
home screen
2. Click on the Request ID for additional information:
3. Task History at the bottom of the screen provides additional information regarding the approval
status.

In the Request Details section, you can view status of the individual access request. The
Information provided with the Request section displays a read-only copy of the information
that you supplied on when you submitted the request. This information cannot be edited.

10. Request Approval
This scenario describes how you can use the Access Request System to approve or reject requests
that are assigned to you.
Note: Depending on how your system administrator customized your system, you might not have
access to this task. To obtain access to this task or to have someone complete it for you, contact
your system administrator.
An approval activity is an action item that is displayed as part of a workflow process and requires
your action. You can use the Access Request System to view your activities, approve, and reject
approval requests
1. Log on to Access Request System

2. To check all pending approvals, click on Request Approval
3. Click on the Request ID to view the details:

4. The approver has the ability to accept or reject:
a. Requests for creating new accounts
b. Requests for updating the access level (entitlements)
5. Approver can choose to approve or reject all by clicking on Accept or Reject All

6. Add comments (optional) and click the Confirm button to complete the approval process
7. Your action is processed and request is updated appropriately

11. Tasks
Once the request has been approved, individual tasks are created based on requests. For all the
connected systems, if automated provisioning is turned on, tasks are directly provisioned in the
target system. Else, a manual entry for a task is added and administrators can assign owners to
the task. Owners can view, comment and mark the tasks as complete.

12. Set up a Delegate
This scenario describes how you can use the Access Request System to setup delegation to other
individuals when you are away from the office or on vacation.
1. Click the ‘Setup Delegates’ button on the homepage
2. Click on “Create New Delegate”

3. Provide all the required information on this page to set up the delegate and click the Create
button
4. You can Delete or Edit the request later using the Delete and Edit buttons.

Attestation
13. Attestation Configuration

13.1 General Configuration
Create tasks on Revoke On revoking a user
account/role/entitlement revocation
tasks to deprovision the
account/role/entitlement will get
created in ARS>Pending tasks

User Manager Attestation-Include Users Allows to include users without
without Accounts accounts to be part of user manger
attestation
User Manager Attestation First Step-Show Allows the certifier to include comments
Popup in the step 1 of user manager
certification (Employment verification)
on selecting “YES/NO/No Response”
User Manager Attestation Second Step- Allows the certifier to include comments
Show Popup on Account Responses in the step 2 of user manager
certification (Account verification) on
selecting “YES/NO/No Response”
User Manager Attestation Second Step- Allows the certifier to include comments
Show Popup on Entitlement Responses in the step 2 of user manager
certification (Entitlement verification)
on selecting “YES/NO/No Response”
Complete After First Step Completes the attestation after 1st step
13.2 User Manager Certification Configuration

Create Email template to be sent out on
attestation creation can be configured
First Reminder to Manager Email template to be sent out to the
user manager once the reminder
interval configured in days has passed
can be configured
Second Reminder to Manager Email template to be sent out to the
user manager once the reminder
interval configured in days has passed
can be configured
Complete Email template to be sent out on
attestation completion can be
configured
Owner Email template to be sent out on
certification owner change can be
configured
14. Status of the attestation

Once initiated, status of the Attestation process can be one of the following
a. New and in progress

New - Attestations created newly are in “New” state
In Progress – Attestations in progress are in “In progress” state
b. Completed
If all the users/roles/entitlements are certified, then the attestation can be moved to
“Completed” state
Completed attestations are modifiable by the certification owners
c. Locked
Attestation marked as completed can be “Locked” which marks the end of the
certification process after which reports can be sent out to organization
HR/administrators to take appropriate action
d. Discontinued

Attestation in “New and in progress” state can be discontinued if they were generated
erroneously
15. User Manager Certification
e. Go to Attestation>Create New and enter the attestation name, type as “User manager”,
Security System, Start Date and Enddate and click on “Next”
f. Select the Certifier from the list (Select the manager of the users for whom the
account/entitlement certification is required)
g. Search for the manager and click on “create now” to create the attestation

h. Once the attestation in created, an email notification will be sent out to the user’s
manager. The user manger can click on the link present in the email to login to the
Saviynt application with his credentials. The user manager can view the attestation
assigned to him in Attestation List page when filtered by “New and in progress” state
i. Click on the attestation name to view the attestation

j. In step 1 of Certification, the manager verifies the employment status of the users, i.e. if
the user is his direct reportee/not. If the user reports to him, then he can choose “Works
for me” in Certify All dropdown.
k. If the user does not report to him, then he can choose “Does not Work for me” in Certify
All dropdown, once he selects “Does not work for me” option for a user, then the
certification is completed for that users

l. The completed attestation can be viewable in “Completed” attestations and reports can
be generated and sent to the appropriate person in an organization

m. If the manager chooses “Works for me” in Certify All dropdown for the user, click on
“Next”
n. In step2 of the user manager attestation, the manager can certify the account and
entitlements associated to the account for user reporting to him by selecting “YES/NO”

o. Once the manger has certified the account/entitlement for all the users, click on “Finish
Access Review”. Click “YES” to lock the attestation and click “NO” to complete the
attestation. Completed attestations can be modified by the manager while locked
attestations are no longer modifiable

p. If the manager revokes/ chooses NO for a user account/entitlement in the attestation,
then tasks for revoking the account/entitlement will be created in ARS>Pending Tasks
and the account/entitlement will be revoked for the user in the target application
q. Export Reports - Reports can be downloaded for completed/locked attestations.
To download reports for locked attestations, go to Attestations>Attestation List, choose
Locked in “Show Me” option and click on download report against the attestation for which
the report is to be downloaded. The downloaded report will be in Excel format
r. To download reports for completed attestations, go to Attestations>Attestation List,

choose completed in “Show Me” option and click on download report against the
attestation for which the report is to be downloaded. The downloaded report will be in
Excel format

s. Discontinue Attestation
The user manager can discontinue an attestation in case the attestation was created
erroneously. Attestations in “New and in progress” state can be discontinued by clicking
“Discontinue” button
Once the attestation is discontinued, view the attestation by choosing “Discontinued” in

the Show me option

Appendix
15.1 Import Job Configurations/Scheduling
1. Go to Admin  Job Control Panel  Data  Application Import  Add New Job  Enter
the new job Name  SAVIYNTAWSDATAIMPORT  click on submit and job would be
created.
2. Start the import job
Go to Admin  Job Control Panel  Data  Application Data import  click on the Action
button of the AWS import job which was created in the previous step  Click on start

15.2 Account Import
**Note: Always make sure to run Account import before running Access import.
1. Enter the below details
• System  Select the system from where we want to do an import, AWS in this case which
was created in earlier steps
• External Connection would be selected automatically when we select the System.
• Job type  Select a full import
• Import type  we need to import Account in the first place.
• Click on submit.
• Once the job is run, accounts import is completed.
2. Once the account import job is completed, we can view the accounts  Go to Admin 
Identity Repository  Accounts

15.3 Access Import
1. Repeat the same procedure for Access import
• Select the System
• Job Type  Full Import
• Import Type  Access
• Click on Submit
• Once the job is run, Access import is completed.
2. Once the Access import is completed, we can view the access Go to Admin  Identity
Repository  Entitlements

3. Click on one of the Entitlement  Below are the Entitlement details
4. Click on the other Attributes tab of the entitlement to view various attributes of entitlement.

15.4 Schedule Jobs
1. Go to Admin  Job Control Panel.
2. Select UTILITY  Email History Job (EmailHistoryJob) Select trigger SAVIYNTAWSEMAIL
 Action SCHEDULE as shown in the screen shot

3. Select a suitable schedule and click on Submit to modify the existing settings.
Current Schedule: 5 mins.
Repeat Steps 1 through 3 if the scheduling needs to be changed for remaining jobs as well.
Exercise caution when changing the frequency of Dashboard, Analytics and Data Import Jobs. It
is advisable to reach out to Saviynt support ([email protected]) in need of frequency
change for these jobs.

AWS Setup Guide v7

Uploaded by

Copyright:

Available Formats

AWS Setup Guide v7

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWS Setup Guide v7

Uploaded by

Copyright:

Available Formats

Saviynt Security Manager v7

AWS Integration & Administration Guide

© Copyright Saviynt INC 2016

Saviynt Security Manager v4.4: AWS Setup Guide 2

2. SAVIYNT STACK SETUP __________________________________________________________________________ 6

4. SAVIYNT SETUP _______________________________________________________________________________ 11

5. CONFIGURE ACCESS REQUEST SYSTEM ____________________________________________________________ 66

5.1 OVERVIEW ________________________________________________________________________________ 66

Saviynt Security Manager v4.4: AWS Setup Guide 3

6. CONFIGURE USERS, ACCOUNTS AND ENTITLEMENTS ________________________________________________ 76

6.1 OVERVIEW ________________________________________________________________________________ 76

ACCESS REQUEST SYSTEM (ARS) ______________________________________________________________________ 95

7. LOGGING IN AND OUT FROM SAVIYNT ACCESS REQUEST SYSTEM _____________________________________ 95

8. REQUEST ACCESS _____________________________________________________________________________ 98

8.1 SELF-REQUEST (REQUESTING ACCESS FOR YOURSELF) ___________________________________________________ 98

9. REQUEST HISTORY ___________________________________________________________________________ 114

10. REQUEST APPROVAL _______________________________________________________________________ 116

11. TASKS ___________________________________________________________________________________ 119

12. SET UP A DELEGATE ________________________________________________________________________ 120

ATTESTATION ____________________________________________________________________________________ 122

13. ATTESTATION CONFIGURATION ______________________________________________________________ 122

13.1 GENERAL CONFIGURATION ____________________________________________________________________ 122

14. STATUS OF THE ATTESTATION ________________________________________________________________ 124

15. USER MANAGER CERTIFICATION ______________________________________________________________ 125

APPENDIX _______________________________________________________________________________________ 132

15.1 IMPORT JOB CONFIGURATIONS/SCHEDULING ________________________________________________________ 132

Saviynt Security Manager v4.4: AWS Setup Guide 4

Please ensure your browser does not block downloads.

Saviynt Security Manager v4.4: AWS Setup Guide 5

2.1.1 Login to AWS Console

Account: Enter the 12- digit AccountID

User Name: Enter the username

Password: Enter the password

2.1.2 Create a stack using Cloud Formation Template.

Saviynt Security Manager v4.4: AWS Setup Guide 6

Private subnet with NAT Windows:

public subnet for CentOS:

Private subnet with NAT CentOS:

and click on Next .

Saviynt Security Manager v4.4: AWS Setup Guide 7

• Stack Name: Name to the stack

Saviynt Security Manager v4.4: AWS Setup Guide 8

Saviynt Security Manager v4.4: AWS Setup Guide 9

Saviynt Security Manager v4.4: AWS Setup Guide 10

3. Elastic Search and Kibana Stack setup for Usage Logs

Saviynt Security Manager v4.4: AWS Setup Guide 11

Saviynt Security Manager v4.4: AWS Setup Guide 12

Saviynt Security Manager v4.4: AWS Setup Guide 13

Saviynt Security Manager v4.4: AWS Setup Guide 14

Saviynt Security Manager v4.4: AWS Setup Guide 15

aws.sns.topic.arn = <ARN of the SNS topic> Ex: arn:aws:sns:us-east-1:661222050851:MyNewTopic

aws.kibana.url=<Kibana URL that has been setup Ex: http://savkibana-elastics-7dk1s0t3mq8g-

11. Go to Services in the Remote desktop as shown:

Saviynt Security Manager v4.4: AWS Setup Guide 16

Saviynt Security Manager v4.4: AWS Setup Guide 17

2. Select Running instances:

3. Select the instance created from the CF template.

Saviynt Security Manager v4.4: AWS Setup Guide 18

Saviynt Security Manager v4.4: AWS Setup Guide 19

Saviynt Security Manager v4.4: AWS Setup Guide 20