Skip to main content
This guide walks you through connecting your Saviynt Identity Governance and Administration (IGA) platform to TruU TOTAL for persona generation and threat detection.

Overview

TOTAL ingests identity governance events from your Saviynt instance via the Saviynt REST API. We poll the audit log and access request endpoints on a configurable interval to collect, normalize, and correlate access governance events — including access requests, approval workflows, entitlement changes, role assignments, certification campaigns, and policy violations. Connector Type: Polling

Prerequisites

  • Saviynt Administrator access with permission to create service accounts and manage API access
  • Saviynt Enterprise Identity Cloud (EIC) instance with active users and governance workflows
  • API access enabled on your Saviynt tenant
  • Approximately 15 minutes to complete setup

Step 1: Identify Your Saviynt Instance URL

  1. Sign in to your Saviynt Admin Console
  2. Your instance URL follows the format https://your-company.saviyntcloud.com
  3. Paste the Base URL into the TruU Portal

Step 2: Create a Service Account

  1. In the Saviynt Admin Console, navigate to AdminIdentity RepositoryUsers
  2. Click Create User
  3. Enter:
    • Username: truu-total-integration
    • Email: Your TOTAL admin contact email
    • User Type: Service Account
  4. Click Save
  5. Set a strong password for this account

Step 3: Grant API Permissions

  1. Navigate to AdminSAV Roles
  2. Create or assign a role with the following API permissions:
    • Read Audit Logs (/ECM/api/v5/getAuditLogs)
    • Read Access Request History (/ECM/api/v5/getRequestHistory)
    • Read User Data (/ECM/api/v5/getUser)
    • Read Entitlements (/ECM/api/v5/getEntitlements)
    • Read Roles (/ECM/api/v5/getRoles)
    • Read Certification Data (/ECM/api/v5/getCertificationData)
  3. Assign this role to the truu-total-integration user
  4. Click Save
All permissions are read-only. TOTAL cannot create, approve, or modify access requests or governance workflows.

Step 4: Enter Credentials in the TruU Portal

In the TruU Portal, navigate to Settings → Connectors → Add Connector → Saviynt and enter:
  • Saviynt Base URL: https://your-company.saviyntcloud.com
  • Username: truu-total-integration
  • Password: The service account password
Click Test Connection to verify. TOTAL will authenticate and confirm access to the audit log endpoints.

Security & Privacy

What We Access

  • Read-only access to Saviynt audit logs and access request history via REST API
  • Queries use timestamp filtering — we only fetch new events since the last poll
  • All API calls use HTTPS (TLS 1.2+)

What We Don’t Have Access To

  • Write access to your Saviynt instance
  • Ability to create, approve, or reject access requests
  • Access to user passwords or Saviynt configuration
  • Administrative functions or policy management

Updating or Rotating Credentials

  1. In Saviynt Admin Console, navigate to Identity RepositoryUsers
  2. Find the truu-total-integration user
  3. Reset the password
  4. Paste the new password in the TruU Portal under the Saviynt connector settings
  5. Click Test Connection to verify

Revoke Access

To immediately remove TOTAL’s access:
  1. Option A — Disable in the TruU Portal:
    • Go to the TruU Portal → Settings → Connectors
    • Find the Saviynt connector and click Disable
  2. Option B — Disable the service account:
    • In Saviynt, navigate to Identity RepositoryUsers
    • Find truu-total-integration and click Disable
  3. Option C — Delete the service account:
    • Find truu-total-integration and click Delete

Rate Limiting & Scalability

Saviynt API Rate Limits

ParameterLimit
API requestsTenant-level throttling (no published fixed limit)
Audit log page sizeConfigurable per request
Throttle responseHTTP 429 with retry guidance

Ingestion Capacity

IGA events are inherently low-volume. A large enterprise with 100K+ users typically generates 1K–15K Saviynt events/day (with spikes up to 50K during certification campaigns). At ~5–10 req/s practical throughput, TOTAL has orders of magnitude of headroom above expected volume. Rate limiting is rarely a factor for this signal class.

Event Freshness

Events appear in the Saviynt audit log within seconds to low minutes. TOTAL polls on a configurable interval (default: 5 minutes). End-to-end latency is typically under 10 minutes.

Resilience

TOTAL uses cursor-based ingestion with at-least-once delivery. The polling cursor only advances after events are successfully collected, normalized, and published. If any step fails, the cursor stays put and the next poll replays from the last known-good position. No events are lost. Transient failures (429s, 5xx, timeouts) are retried automatically with exponential backoff. After 5 consecutive failures, the connector self-pauses and can be re-enabled from the TruU Portal. On recovery from an extended outage, TOTAL resumes from its last cursor — Saviynt retains audit logs for the configured retention period.

Connector Design

Each connector polls on an independent, configurable interval. Events are batched and published in per-user order to preserve sequence integrity for persona building. Connector workers are stateless and scale horizontally. All polling intervals, page sizes, and batching parameters are tunable from the TruU Portal.

Part 2: Event Types & Data Schema

Signal Classification

Signal ClassTOTAL Category
Identity Governance (IGA)Admin, Access

Event Types We Ingest

TOTAL extracts the following categories of events from Saviynt. Every event ingested is tied to a specific human identity — either the user performing the action or the user being acted upon. System-level events (campaign launches, configuration changes, report generation) that cannot be attributed to a specific person are excluded.

Access Request Events

Saviynt Event TypeDescriptionTOTAL Classification
Request SubmittedUser submits a new access requestAccess
Request ApprovedAccess request approved by approverAccess
Request RejectedAccess request rejected by approverAccess
Request Auto-ApprovedAccess request auto-approved by policyAccess
Request EscalatedAccess request escalated to next approverAccess
Request ExpiredAccess request expired without actionAccess
Request CancelledAccess request cancelled by requesterAccess

Entitlement & Role Events

Saviynt Event TypeDescriptionTOTAL Classification
Entitlement GrantedEntitlement provisioned to userAdmin
Entitlement RevokedEntitlement removed from userAdmin
Role AssignedRole assigned to userAdmin
Role RemovedRole removed from userAdmin
Entitlement Auto-ProvisionedEntitlement provisioned by birthright ruleAdmin
Entitlement Auto-RevokedEntitlement revoked by lifecycle ruleAdmin

User Lifecycle Events

Saviynt Event TypeDescriptionTOTAL Classification
User CreatedNew user provisioned in SaviyntAdmin
User UpdatedUser attributes modifiedAdmin
User DisabledUser account disabledAdmin
User EnabledUser account re-enabledAdmin
User TerminatedUser terminated and deprovisionedAdmin
Account CreatedApplication account created for userAdmin
Account DisabledApplication account disabledAdmin
Account DeletedApplication account deletedAdmin

Certification & Compliance Events

Saviynt Event TypeDescriptionTOTAL Classification
Access CertifiedReviewer certified a user’s access as appropriateAdmin
Access Revoked (Certification)Reviewer revoked a user’s access during certificationAdmin
Certification EscalatedCertification item for a user escalated to next reviewerAdmin

SoD & Policy Violation Events

Saviynt Event TypeDescriptionTOTAL Classification
SoD Violation DetectedSegregation of Duties violation detectedAlert
SoD Violation ApprovedSoD violation approved with exceptionAlert
SoD Violation MitigatedSoD violation mitigated with compensating controlAlert
Policy ViolationGovernance policy violation detectedAlert
Risk Score ChangedUser risk score changedAlert

Audit Trail Events

Saviynt Event TypeDescriptionTOTAL Classification
Admin LoginAdministrator logged into SaviyntAuthentication
Bulk Action ExecutedAdmin executed bulk provisioning or deprovisioning affecting usersAdmin

Sample Source Event (Saviynt Audit Log)

{
  "id": 1048576,
  "action": "Request Approved",
  "objectType": "AccessRequest",
  "objectName": "REQ-2026-00451",
  "performedBy": "john.manager@acme.com",
  "performedFor": "jane.doe@acme.com",
  "performedOn": "2026-03-15T10:22:45.000Z",
  "details": {
    "requestId": "REQ-2026-00451",
    "requestType": "Add Access",
    "entitlementName": "AWS-Admin-ReadOnly",
    "entitlementType": "Role",
    "applicationName": "AWS Production",
    "justification": "Quarterly audit review requires read access to production logs",
    "riskLevel": "Medium",
    "approvalLevel": 2,
    "approverComments": "Approved for 90-day window per policy",
    "expirationDate": "2026-06-15T00:00:00.000Z"
  },
  "sourceIP": "10.0.1.45",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
  "status": "SUCCESS",
  "timestamp": "2026-03-15T10:22:45.000Z"
}

TOTAL Normalized Event

{
  "event_id": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
  "event_type": "ACCESS",
  "source": "SAVIYNT",
  "signal_type": "IGA",
  "domain_id": "customer-domain-001",
  "tuid": "tuid-jane-doe-001",
  "timestamp": "2026-03-15T10:22:45.000Z",
  "payload": {
    "event_id": 1048576,
    "user": "jane.doe@acme.com",
    "action": "Request Approved",
    "request_id": "REQ-2026-00451",
    "request_type": "Add Access",
    "entitlement": "AWS-Admin-ReadOnly",
    "application": "AWS Production",
    "approver": "john.manager@acme.com",
    "risk_level": "Medium",
    "status": "SUCCESS"
  },
  "raw_metadata": {
    "platform_event_id": "1048576",
    "action": "Request Approved",
    "object_type": "AccessRequest",
    "object_name": "REQ-2026-00451",
    "performed_by": "john.manager@acme.com",
    "performed_for": "jane.doe@acme.com",
    "request_type": "Add Access",
    "entitlement_name": "AWS-Admin-ReadOnly",
    "entitlement_type": "Role",
    "application_name": "AWS Production",
    "justification": "Quarterly audit review requires read access to production logs",
    "risk_level": "Medium",
    "approval_level": 2,
    "approver_comments": "Approved for 90-day window per policy",
    "expiration_date": "2026-06-15T00:00:00.000Z",
    "source_ip": "10.0.1.45",
    "status": "SUCCESS",
    "created_at": "2026-03-15T10:22:45.000Z",
    "source_platform": "saviynt"
  },
  "platform_event_id": "1048576",
  "platform_event_source": "SAVIYNT_API"
}

How This Feeds TOTAL

Persona Building

Saviynt events define the access boundary of each user’s persona. By tracking which entitlements, roles, and applications a user has been granted access to — and the governance workflows that authorized that access — TOTAL builds a precise model of what each identity should be doing. This separates baseline user behavior from expected privileged actions, particularly for administrators and operators.

Anomaly Detection

TOTAL’s behavioral engine uses Saviynt events to detect:
  • Abnormal privilege activation — access requests for entitlements outside a user’s historical pattern or job function
  • Privilege accumulation — gradual buildup of entitlements that collectively represent excessive access
  • Governance bypass indicators — auto-approved requests that circumvent normal approval chains, or bulk provisioning actions
  • SoD violations — segregation of duties conflicts that indicate a single identity holds incompatible privileges
  • Certification anomalies — rubber-stamping patterns where reviewers certify all access without meaningful review
  • Orphaned access — entitlements that persist after role changes or termination events

Breach Lifecycle Coverage

Saviynt events provide primary coverage across Scope / Lateral Movement and Privilege Escalation stages. By monitoring the governance layer, TOTAL detects when an attacker (or compromised insider) begins expanding their access footprint — often the clearest signal of intent before data exfiltration occurs.