Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workflow - CustomQuery to get Azure AD Group Owners Approval

Go to solution
yogesh2
Regular Contributor
Regular Contributor

‎05/21/2024 10:57 PM

We are managing Azure AD groups from Saviynt and for the update group request we want the request to go to the group's owner(s) (which are stored on the corresponding role in Saviynt)

I have tried using below custom query but this is not working and it keeps going to admin:

select userkey from role_owners where rolekey=${REQUESTACCESSOBJ.id}

yogesh2_0-1716357021022.png

I have also tried with "Access Approval" block, but this also has a problem. It sends the approval request to the new owner (which is selected on update form) as well as the existing owner. Which is a problem as a person should not approve a request to set himself as the owner:

yogesh2_1-1716357060885.png

 

So is there a way to send the approval but only to the existing owners of the group (not the one selected on the update form)?
I want to fetch the owners from the corresponding role i.e. ones shown on below screen:

yogesh2_2-1716357313228.png

 

 

 

Labels:
0 Kudos
3 REPLIES 3

Go to solution
rushikeshvartak
All-Star
All-Star

‎05/21/2024 11:38 PM

Select * from request_access validate rolekey exists 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
yogesh2
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎05/21/2024 11:44 PM - edited ‎05/21/2024 11:47 PM

Every time I submit a group update request the accesskey is different in request_access table (even though I'm requesting for same group/role):

REQUEST_ACCESSKEYACCESSKEYACCESSTYPECOMMENTSCONFIDENCEENDDATEPARENTREQUESTRANKREQUESTKEYREQUESTTYPESTARTDATESTATUSUSERKEY
118551Approval Request for Update Role Jun 01, 2024 05:00:27  1133May 22, 2024 05:00:27111
117541Approval Request for Update Role<br/><span class="busjustformattask"></span> Jun 01, 2024 04:36:25  1123May 22, 2024 04:36:25411
116531Approval Request for Update Role Jun 01, 2024 04:33:35  1113May 22, 2024 04:33:35311
115521Approval Request for Update Role<br/><span class="busjustformattask"></span> May 31, 2024 11:47:39  1103May 21, 2024 11:47:39411
114511Approval Request for Update Role<br/><span class="busjustformattask"></span> May 31, 2024 11:41:27  1093May 21, 2024 11:41:27411

It is not matching with the rolekey or entitlement_valuekey in the roles table:

 

ROLE_NAME ROLEKEY ENTITLEMENT_VALUEKEY
AZ-A-Saviynt-Test-Group-0023345490

So not sure how Saviynt is getting this accesskey, and I am not able to form a CustomQuery.

0 Kudos

Go to solution
yogesh2
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎05/22/2024 12:31 AM

@rushikeshvartak 
Thanks to your help on other thread I was able to make this query which is working as expected, It seems that for update group requests the ${REQUESTACCESSOBJ.id} object is storing the the rolehistorykey from the roles_historychangelog table

below is working customquery:

select
	distinct userkey
from
	roles_historychangelog rh
	join role_owners ro on ro.rolekey = rh.rolekey
where
	rh.ROLEHISTORYKEY = ${REQUESTACCESSOBJ.id}

 

Copyright © 2024 Khoros, LLC