Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Create Actionable Analytics report to update email address on account

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 30 2021 at 20:59 UTC

I would like to create an Actionable Report that displays all accounts with missing email addresses and uses the "Update Account" action to allow owners to supply the missing value.


I reviewed the documentation but am not able to find any information about how the Update Account action works. is it possible to take specific input from the reviewer and update corresponding attribute values (email) on the account?


Is what i'm trying to do possible? I can create the report with the update account action but I can't figure out how to tell it what needs to be updated.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
4 REPLIES 4

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 1 2021 at 11:01 UTC

Hi Rob,


What you want to achieve is defintely possible.

By looking around multiple articles in Saviynt, I came up with the following solution :

Create an Analytics with the following query :

SELECT a.accountkey as 'acctKey', u.username, 'updateAccount' as 'Default_Action_For_Analytics' FROM users u left join user_accounts ua on u.userkey=ua.userkey left join accounts a on ua.accountkey=a.accountkey WHERE a.endpointkey=XX and a.custompropertyX is null and u.email is not null

where :

  • a.endpointkey=XX matches the endpoint key for which you want the account to be updated
  • a.custompropertyX is the email value retrieved from account import, if you can actually read this information and reconcile on an account property in SSM
  • u.email is not null to only catch identities with an email address.
What will actually do the job for you is to mention 'updateAccount' as 'Default_Action_For_Analytics ' in your SELECT statement.This has been pure guessing by looking at this article :https://saviynt.freshdesk.com/support/discussions/topics/43000524370
It also describes how you run the job and trigger action leveraging the AnalyticsESJob .
TIPS :
  • Since AnalyticsESJob targets a category, I'd advice to create a custom one, whe you'd store all the analytics that includes default action to be executed.
  • I also recommend to schedule the report itself to be updated frequently so it only sends updateAccount action for up to date missing values. (This could be done after account import from your application)
Hope this helps !

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 3 2021 at 14:01 UTC

Hi Adrien - thanks for the detailed response. While it does help me understand the general functionality of the actionable reports better, my use case is a bit different.


I believe the solution you provided would update a missing email address on an account from the email address on the correlated identity; I'm looking for a way to have the report reviewer actually type in the email address vs pull it from the identity. For context: We have a large number of 3rd party "vendor" accounts that were onboarded directly into active directory by various organizations in our business prior to Saviynt. We now want to start gathering email addresses for these old accounts. Since there's no single HR source of truth for the data we need to have each org owner (there are hundreds) provide emails for the accounts affiliated with their org.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 3 2021 at 16:55 UTC

Hi Rob.

Then your requirement can be done this way :

  • Create a report with the query I mentioned above so it uses, at least the "accountkey as 'acctKey'" to ensure Saviynt understand which account should be updated
  • Remove from that query the "'updateAccount' as 'Default_Action_For_Analytics'" since it won't be useful then.
  • Add more users column to guide end users on which account belongs to which identity.
  • Your analytics must include the "Update Account" as Allowed Action.
  • Once you have created and run your report, you will be able to select the account for which you want the update to be triggered. When chosing the option, the UI will prompt a pop-up to add a comment for the task to be created => Here, I would recommend to teach end users to enter the email address to insert for that account.
  • In parallel, you must configure your AD connector's "UPDATEACCOUNTJSON" parameter to have the email mapping as following :

"email":"${task.source.equals('ANALYTICS')?task.comments:null!=user.email?user.email:''}"

This would get the task.comments value inserted by the reviewer if the task has effectively been created through a report (task source is ANALYTICS). If task comes from another processn you can then mention user's email if it exists, for example.

However, I'm not sure if "task.comments" is enough or if you should get the email by manipulating this variable.


Hope this helps !

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 3 2021 at 17:33 UTC

So basically just use the comment to capture the input and parse that to apply the update. Makes sense - i will give it a try.


Thanks!

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.