04/13/2023 01:58 AM
Connector : REST
Environment : DEV
Version : 5.5 SP 3.13
Steps to replicate : Run the access import job for REST connector application and check the status and logs.
Go to Entitlements->Advanced->Filter using Security System and Endpoint->Search for entitlements.
Expected Result : Entitlements associated with application must be reflected in Saviynt.
Findings : We have seen that the entitlements are properly retrieving from the URL via SIGA access import and in API calls. We are able to see all application group information including group id in SIGA application logs with 'responseStatusCode ::200'. But entitlements are not appearing in Saviynt UI.
ImportAccountEntJSON (URL is cleared):
{
"accountParams": {},
"entitlementParams":{
"connection":"userAuth",
"processingType":"SequentialAndIterative",
"entTypes":{
"groups":{
"entTypeOrder":0,
"call":{
"call1":{
"callOrder":0,
"stageNumber": 0,
"http":{
"url":"URL",
"httpHeaders":{
"content-Type": "application/json",
"Accept": "application/json",
"Authorization": "${access_token}"
},
"httpContentType":"application/json",
"httpMethod":"GET"
},
"listField":"",
"keyField":"entitlementID",
"colsToPropsMap":{
"entitlementID":"${groupInfoList.groupId}~#~char",
"entitlement_value":"${groupInfoList.groupName}~#~char",
"customproperty1":"${groupInfoList.groupId}~#~char",
"customproperty2":"${groupInfoList.createdDate}~#~char",
"displayname":"${groupInfoList.groupName}~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams":{}
}
Please advise.
04/13/2023 02:06 AM
Please add acctEntParams :
"acctEntParams": {
"entTypes": {
"Roles": {
"call": {
"call1": {
"processingType": "http",
"connection": "userAuth",
"http": {
"url": "****",
"httpContentType": "application/json",
"httpMethod": "GET",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "value",
"acctKeyField": "accountID",
"entKeyField": "entitlementID",
"acctIdPath": "UserId",
"entIdPath": "SecurityRoleIdentifier"
}
}
}
}
}
04/13/2023 09:19 AM
Added "acctEntParams" and run the import access job.
Getting the same result.
Able to see the entitlements in SIGA application logs with name, groupID, created date etc
Also the import status showing success. But entitlements are not showing in Saviynt UI.
2023-04-13/16:03:06.234 [{}] [quartzScheduler_Worker-10] DEBUG jobs.ApplicationDataImportJob - Setting the value of import status
2023-04-13/16:03:06.234 [{}] [quartzScheduler_Worker-10] DEBUG jobs.ApplicationDataImportJob - Import status :: Success
04/16/2023 09:56 PM
Hello,
Did you check the below article :
Using the Saviynt Integration (saviyntcloud.com)
04/19/2023 03:06 PM
I have followed the REST connector guide and used the Saviynt recommended JSONs only.
I have gone through the above link as well. So, the expectation is that entitlements need to be reflected in UI via access import job after the account import. You can see that the API call is success and it is showing in logs. Mapping parameters also seems fine. So, I am looking for guidance or assistance to troubleshoot the issue why these entitlements are not reflecting in UI.
A snippet of the SIGA application log is adding here.
2023-04-19/21:37:16.874 [{}] [quartzScheduler_Worker-9] DEBUG rest.RestUtilService - Got showLogs = true
2023-04-19/21:37:16.875 [{}] [quartzScheduler_Worker-9] DEBUG rest.RestProvisioningService - Got Webservice API Response: [headers:[Date: Wed, 19 Apr 2023 21:37:16 GMT, Server: Apache, X-Robots-Tag: none, Vary: Cookie, x-request-id: "xxxxxxxxxxxxx", Cache-Control: no-cache, no-store, must-revalidate, Pragma: no-cache, Expires: 0, Content-Length: 2398, Strict-Transport-Security: max-age=31536000;, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT", Keep-Alive: timeout=15, max=200, Connection: Keep-Alive, Content-Type: application/json;charset=UTF-8], responseText:{"groupInfoList":[{"groupId":"CBJCHBCAABAAUOQR7SAEzVStV6rl8jE_FS_Re6Pt6chX","createdDate":"2021-08-16T07:39:22Z","groupName":"Canada - Rothmanns & Bensons","isDefaultGroup":false},{"groupId":"CBJCHBCAABAAcmVSfyOLBcirz6xBDpJRiffYoB5HdQv8","createdDate":"2019-10-17T17:21:30Z","groupName":"Default Group","isDefaultGroup":true},{"groupId":"CBJCHBCAABAAkoIO7384VExGm_ExrVGgasiAnR1KEON6","createdDate":"2021-12-02T14:20:08Z","groupName":"Digital Signature","isDefaultGroup":false},{"groupId":"CBJCHBCAABAAjTmMQLZZ1GbORz-9nWkBUtaaXLa5NKNP","createdDate":"2020-12-22T16:32:25Z","groupName":"EHS&S","isDefaultGroup":false},{"groupId":"CBJCHBCAABAAUOR-pR0PFuXOg3hHG4lWA5NfNY00fOJ8","createdDate":"2020-03-17T11:24:16Z","groupName":"Finance","isDefaultGroup":false},{"groupId":"CBJCHBCAABAARU-WDqsqaayBCgltkBEqMlFoEg7mN4RU","createdDate":"2020-03-17T10:47:00Z","groupName":"Legal","isDefaultGroup":false},
I have read a limitation of REST connector on import operation in the link you provided. It was suggested to manually import the entitlements with group_id as entitlement ID.
Please advise.
04/20/2023 03:58 AM
In the log snippet you can see the group details properly retrieving from application side via SIGA import access job run. Any changes do I need to make with the Import JSON for further testing.
Also is there any work around like manual upload I can perform to bring up the objects for further configurations?
04/21/2023 08:45 AM
04/23/2023 11:35 PM
Hi @Happy333 ,
Analyzing the debug logs snipet, I see that the listpath and the ColsToProps attributes are not mapped properly.
Please find the attached document containing an updated JSON to import the values of entitlement type Group
Thank you
Vedanth B.K
04/24/2023 11:28 AM
Thanks for the response. We have tried the import of account, access and memberships one by one using partial JSON. Initially account import, then access import. Also made some changes to the mapping, we were able to bring the application entitlements synched with Saviynt. But accounts are not completely reflecting in Saviynt. Out of 2000+ users only around 100 users are getting imported. Need to update pagination? Please suggest the things which may be blocking of full account import from target. Also, membership too not get synched.
04/27/2023 12:21 AM
Hi @Happy333
If one page yields only 100 accounts, pagination is necessary to obtain the remaining accounts from the target application. Depending on the kind of pagination that the target application exposes, the pagination block needs to be configured in the JSON.
Please check out our REST connector document, which includes a thorough description with numerous samples and examples. Attaching a link for reference
Developers-Handbook->ImportAccountEntJSON->Common features->Support for Pagination
Thank you
Vedanth B.K
04/28/2023 04:35 AM
Sure Vedanth. I am already on it. Thanks for your response.