Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AADGroup recon does not import missing Role

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 01:22 PM

Originally posted on February 18 2022 at 16:10 UTC

We're using the Azure AD connector to provision/deprovision AADGroups. These requests originate from API commands to Saviynt, namely the following:


  • Request to Create Entitlement Based Role
  • Request to Delete Entitlement Based Role


These work fine. When a new group is added, the corresponding role is created in Saviynt and the group is successfully added to AAD. When the group is deleted, the group is also successfully deleted from Saviynt and AAD. (Reuse does not work, but that's a separate story).


Now that we are ready to turn the functionality on, we need to reconcile pre-existing AADGroups from the target system into Saviynt to make these available. All group entitlements and memberships are reconciled perfectly, but the pre-existing groups are not paired with their corresponding role in Saviynt. In fact, no role is created at all for the newly-reconciled AADGroup. As a result, the pre-existing groups cannot be controlled (i.e. deleted) by the API command, which yields the following error response:


 

{

    "msg": "role pre-existing-AAD-group-name not found",

    "errorCode": 1,

    "statusCode": 412

}


Is there any kind of switch that we can enable to include roles in the AAD recon into Saviynt for these groups?  If not, what would a good workaround be? Really would hate to have to manually create all of the missing roles in Saviynt.

 

 

 

 

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos
13 REPLIES 13

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on February 22 2022 at 18:44 UTC

Tessa,


How does this work from the UI ? Does the pre-existing Groups in AAD even show up in Saviynt ?




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on February 24 2022 at 19:23 UTC

Yes, all pre-existing groups show up in the UI after an AAD recon.  The problem is the corresponding roles are not created as part of the recon process.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on February 24 2022 at 19:30 UTC

Tessa,


If you go to the Manage AAD Groups tile, does the pre-existing groups show up ?




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on February 24 2022 at 20:15 UTC

We don’t have a Manage AAD Groups tile, but we have a Manage Entitlements tile, from which we can filter on our AAD endpoint.  If that’s what are you referring to, then yes, we have close to 2,000 reconciled entries.

 

Tessa

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on February 24 2022 at 20:44 UTC

Tessa,


Looks like you're on v5.5Sp3.x version, Could you let me know what exact version you are on ? 


The way Group Management works, at least for AD, is that all the pre-existing groups which have been reconciled and in Active status shows up under either "Manage AD Groups" and in your case, "Manage AAD Groups" in v2020 and above and under "Manage Roles" tile in v5.5Sp3.x. Now you might have to go to you SAV Role > Create Request Home Option and select the Azure Groups if not selected.


All AD/AAD Groups are implemented as "Roles" even though they are actually entitlements. Thats how Saviynt manages it. So active existing entitlements show up under "Manage Roles". If you click on the edit icon on the listed role, it should either take you to the corresponding role page or "create" a role object. You can validate that by checking the URL. If the URL has an absolute number, which is the rolekey then that role  already exists (as in case of Groups created from Saviynt itself), If the URL has something like -1 as the rolekey then, it actually "inserted" the role object in the roles table at the time the edit was clicked. This is true for all pre-existing groups that was reconciled from the target systems. Subsequent access to the roles should render the actual rolekey since it now exists.


Please check if you can validate this from the UI. Again, this for AD was implemented as part of v5.5SP3.7 release so I am not sure if this is applicable in your version. 



Hope it helps.





Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on February 28 2022 at 11:11 UTC

Thank you for the detailed explanation.  As you suspected, we are currently running an older version, Saviynt v5.5SP3.6.


So, until we upgrade, I was hoping to have a temporary workaround, which would be to manually add the missing roles for those groups that we might want to maintain.  So I went to the ARS homepage, selected Manage Roles > ...> AzureAD AADGroup, queried the group of interest, and clicked on the Edit icon. Appears that this added the missing role for my AAD group (entitlement).

 

When I now try to delete the group via Postman, it no longer fails, I get a success response.  So far, so good:


{

 "msg": "success",

 "errorCode": 0,

 "requestid": "",

 "statusCode": 200

}

 

However, it does not create a pending task in the pending queue to delete the AAD group.  Entitlement is not deleted.  Nothing happens.  I issue the same Postman call again, I get the same success response, but no apparent action is done in Saviynt itself.


In other words, we will eventually upgrade, but in the meantime, I'd like a temporary workaround for our customers.


Thanks, Tessa

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on February 28 2022 at 14:57 UTC

Tessa,


So you are saying that the Role was automatically created when you clicked on edit link ? 

If you can query the role from Data Analyzer, does the Entitlement_ValueKey in the roles table also got populated or that column doesn't even exist ?


Can you share the request payload for the delete entitlement ?




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on March 11 2022 at 09:18 UTC

Hi Tessa, 


Could you please provide us a response to the question asked? to better help you.


Thanks & Regards, 

Belwyn.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on March 11 2022 at 10:22 UTC

I apologize, I responded on 2/28/2022 to the email, assuming the response would be posted to this site, but it wasn't.  Here was my response:


That is correct.  Saviynt created the basic role (without a display name or a description).  I went to check the Roles on the Admin side:

 

image

 

 

 

There is no entitlement_valuekey field in the roles table (in our version at least). But maybe these queries answer your question:

 

select entitlement_valuekey

from entitlement_values

where entitlement_value = 'SaviyntTestGroup8';

 

13315703

 

 

select rolekey

from role_entitlements

where entitlement_valuekey = 13315703;

 

No Data Found. 

 

 

The API command used to attempt to delete the group is as follows:

 

 

{{url}}/ECM/{{path}}/createrequest

 

{

 "accesstype": "roles",

 "roletype": "6",

 "requestor": "Api_ServiceAccount",

 "entitlementtype": "AADGroup",

 "securitysystem": "Azure AD Teams CaaP",

 "endpoint": "Azure AD Teams CaaP",

 "requesttype": "delete",

 "role_name": "SaviyntTestGroup8"

}

 

 

Thanks, Tessa

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on March 11 2022 at 10:25 UTC

Email response never included back on 2/28

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on March 17 2022 at 14:51 UTC

Tessa,


What is the response you get when you execute the createrequest API to delete the role ?




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on March 23 2022 at 08:34 UTC

For SaviyntTestGroup8, the response is the same as posted earlier (without a requestid value because it does not create a pending request at this point since the group has already been deleted, I suspect, even though the role is still present):


 

{

    "msg": "success",

    "errorCode": 0,

    "requestid": "",

    "statusCode": 200

}


Tessa

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos

Go to solution
Community_User
Saviynt Employee
Saviynt Employee

‎04/12/2022 03:08 PM

Originally posted on March 23 2022 at 21:25 UTC

Hi Tessa,


Can you try the same operation with different workflows under Admin > Global Configurations > Roles  and validate if they behave the same way ?




Regards,

Avinash Chhetri


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
0 Kudos
Copyright © 2024 Khoros, LLC