Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/21/2024 10:57 PM
We are managing Azure AD groups from Saviynt and for the update group request we want the request to go to the group's owner(s) (which are stored on the corresponding role in Saviynt)
I have tried using below custom query but this is not working and it keeps going to admin:
select userkey from role_owners where rolekey=${REQUESTACCESSOBJ.id}
I have also tried with "Access Approval" block, but this also has a problem. It sends the approval request to the new owner (which is selected on update form) as well as the existing owner. Which is a problem as a person should not approve a request to set himself as the owner:
So is there a way to send the approval but only to the existing owners of the group (not the one selected on the update form)?
I want to fetch the owners from the corresponding role i.e. ones shown on below screen:
Solved! Go to Solution.
05/21/2024 11:38 PM
Select * from request_access validate rolekey exists
05/21/2024 11:44 PM - edited 05/21/2024 11:47 PM
Every time I submit a group update request the accesskey is different in request_access table (even though I'm requesting for same group/role):
REQUEST_ACCESSKEY | ACCESSKEY | ACCESSTYPE | COMMENTS | CONFIDENCE | ENDDATE | PARENTREQUEST | RANK | REQUESTKEY | REQUESTTYPE | STARTDATE | STATUS | USERKEY |
118 | 55 | 1 | Approval Request for Update Role | Jun 01, 2024 05:00:27 | 113 | 3 | May 22, 2024 05:00:27 | 1 | 11 | |||
117 | 54 | 1 | Approval Request for Update Role<br/><span class="busjustformattask"></span> | Jun 01, 2024 04:36:25 | 112 | 3 | May 22, 2024 04:36:25 | 4 | 11 | |||
116 | 53 | 1 | Approval Request for Update Role | Jun 01, 2024 04:33:35 | 111 | 3 | May 22, 2024 04:33:35 | 3 | 11 | |||
115 | 52 | 1 | Approval Request for Update Role<br/><span class="busjustformattask"></span> | May 31, 2024 11:47:39 | 110 | 3 | May 21, 2024 11:47:39 | 4 | 11 | |||
114 | 51 | 1 | Approval Request for Update Role<br/><span class="busjustformattask"></span> | May 31, 2024 11:41:27 | 109 | 3 | May 21, 2024 11:41:27 | 4 | 11 |
It is not matching with the rolekey or entitlement_valuekey in the roles table:
ROLE_NAME | ROLEKEY | ENTITLEMENT_VALUEKEY |
AZ-A-Saviynt-Test-Group-002 | 33 | 45490 |
So not sure how Saviynt is getting this accesskey, and I am not able to form a CustomQuery.
05/22/2024 12:31 AM
@rushikeshvartak
Thanks to your help on other thread I was able to make this query which is working as expected, It seems that for update group requests the ${REQUESTACCESSOBJ.id} object is storing the the rolehistorykey from the roles_historychangelog table
below is working customquery:
select
distinct userkey
from
roles_historychangelog rh
join role_owners ro on ro.rolekey = rh.rolekey
where
rh.ROLEHISTORYKEY = ${REQUESTACCESSOBJ.id}