We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Account having multiple Roles to Entitlement mapping reconciling issue. No API for AccountEntMapping

srinath
Regular Contributor
Regular Contributor

Hi All,

I have below issue while i am importing roles and accounts. I am able to import roles and accounts along with AccounttoEnt mapping as well. But target application is having user with multiple roles for single role as below.

"respond_data": [
{
"account_name": "30012",
"activestatus": true,
"roleid": "ABNM",
"rolename": "AnnBFGouncement"
},
{
"account_name": "30013",
"activestatus": true,
"roleid": "BsdfasdgP",
"rolename": "Businesdfrtner"
},
}

I am not sure how to pull multiple roles to map with account. Here i am attaching Import Account Json. Could someone quick help on this

37 REPLIES 37

srinath
Regular Contributor
Regular Contributor

Adding more information as of now I am able to map single role with account but here i am looking to map multiple roles with account.

 

@rushikeshvartak  can you help on this

Please share AccountImport JSON you can make listPath : ""

also share what is current CP31 of account of any 1 account


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Here it is {"Roles":{"entIds":["ANM"],"keyField":"entitlementID"}}

Please find the JSON

{
"accountParams": {
"connection": "ConnAuth",
"processingType": "SequentialAndIterative",
"successResponses": {
"statusCode": [
200
]
},
"unsuccessResponses": null,
"statusAndThresholdConfig": {
"statusColumn": "customproperty11",
"activeStatus": [
"true"
],
"deleteLinks": false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
},
"call": {
"ImportAccount": {
"callOrder": 0,
"stageNumber": 0,
"connection": "ConnAuth",
"http": {
"url": "https://xxxx/API/AuthenticationInterface.ashx",
"httpHeaders": {
"Content-Type": "application/json",
"Authorization": "Basic sdfnlksnadgnslgnlkasgnlasngskl"
},
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"APIName\":\"User\",\"PartnerID\":\"H\"}"
},
"listField": "respond_data",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "account_name~#~char",
"name": "account_name~#~char",
"customproperty12": "roleid~#~char",
"customproperty13": "rolename~#~char",
"customproperty11": "activestatus~#~char",
"status": "activestatus~#~char",
"customproperty31": "STORE#ACC#ENT#MAPPINGINFO~#~char"
}

}

},

"acctEntMappings": {
"Roles": {
"listPath": "",
"idPath": "roleid",
"keyField": "entitlementID"
}
}
},
"entitlementParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Roles": {
"entTypeOrder": 0,
"call": {
"importHmxRoles": {
"connection": "HumatrixAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://xxxx/API/AuthenticationInterface.ashx",
"httpHeaders": {
"Content-Type": "application/json",
"Authorization": "Basic sdfnlksnadgnslgnlkasgnlasngskl"
},
"httpParams": "{\"APIName\":\"Rol\",\"PartnerID\":\"HX\",\"ConditionType\":\"manual\"}",
"httpMethod": "POST",
"httpContentType": "application/json"
},
"statusConfig": {
"active": "true",
"inactive": "false"
},
"listField": "respond_data",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "roleid~#~char",
"entitlement_value": "roleid~#~char",
"customproperty1": "rolenamel~#~char",
"customproperty2": "rolenamei~#~char",
"customproperty3": "roletype~#~char",
"customproperty4": "conditiontype~#~char",
"customproperty5": "active~#~char",
"description": "rolenamel~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},

"acctEntParams": {
"connection": "ConnAuth",
"entTypes": {
"Roles": {
"acctIdPath":"accountID",
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "acctToEntMapping"
}


}
}
}
}
}

Try keeping the idpath blank and listpath as Roles as shown below and do access import.

"acctEntMappings": {
"Roles": {
"listPath": "respond_data.roleid",
"idPath": "",
"keyField": "entitlement_value"
}

 

https://forums.saviynt.com/t5/identity-governance/rest-connection-import-accounts-and-entitlement-wi... 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

It giving empty {} results and under entitlement hierarchy i dont any roles. I roll back to old JSON as below

"acctEntMappings": {
"Roles": {
"listPath": "roles",
"idPath": "",
"keyField": "entitlementID"
}
}
}

 

Below is the output atleast

CP 31 : {"Roles":{"entIds":["BP"],"keyField":"entitlementID"}}

 

"acctEntMappings": {
"Roles": {
"listPath": "respond_data.roleid",
"idPath": "",
"keyField": "entitlement_value"
}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Show me account CP31 with more than 1 role


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushi,

That is the issue I am not able to pull multiple roles for CP31. it is only getting one role information even user having multiple as below for example 

{
            "account_name""30012353",
            "activestatus"true,
            "roleid""ANM",
            "rolename""Announcement"
        },
        {
            "account_name""30012353",
            "activestatus"true,
            "roleid""BP",
            "rolename""Business Partner"
        },
 
But I am receiving CP31 as {"Roles":{"entIds":["BP"],"keyField":"entitlementID"}}.
I am not sure how to get map multiple role information to CP31. "customproperty31": "STORE#ACC#ENT#MAPPINGINFO~#~char". Do we need to have any other data type or something else?

Its better you go with httpEntToAcct as ProcessingType for acctEntParams

Refer  https://saviynt.freshdesk.com/support/solutions/articles/43000521736-rest-connector-guide%C2%A0 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

There is no seperate API for to iterate with "id".

How can we achieve this with httpEntToAcct

You can use same API and it should work

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Is this below one Good to try?

 

"acctEntParams": {
"connection": "connAuth",
"entTypes": {
"Roles": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "httpEntToAcct",
"http": {
"url": "https://xxxxxx/API/AuthenticationInterface.ashx",
"httpHeaders": {
"Content-Type": "application/json",
"Authorization": "Basic SFhTYXZpeW50X1VBVDo3Y2"
},
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"APIName\":\"UserRoleMapping\",\"PartnerID\":\"HX_SV_API\"}"
},
"listField": "respond_data",
"entIdPath":"roleid",
"entKeyField": "entitlementID",
"acctIdPath": "account_name",
"acctKeyField": "accountID",
"pagination": {
"nextUrl": {
"nextUrlPath": "${response?.completeResponseMap?.next_page==null?null:response.completeResponseMap.next_page}"

Yes


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

This is not working, Job continuously running. I terminated job and see all roles are getting mapped to account. I think httpenttoaccount can use to call http API and there should need to be "id" to iterate the connection for the specific id.

 

any more inputs

reason connection name is wrong its ConnAuth not connAuth


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

The Json is changed with details here as i am posting on forums... with my json i have proper connection name is fine and more over after stopping job forcefully i have seen account having all roles  even they are not part of those roles.

srinath
Regular Contributor
Regular Contributor

Anyone can help/suggestion on this.

Postman response is below

  "respond_data": [
        {
            "account_name""30012353",
            "activestatus"true,
            "roleid""BP",
            "rolename""Business Partner"
        },
        {
            "account_name""30012353",
            "activestatus"true,
            "roleid""ANM",
            "rolename""Announcement"
        }
 
How to iterate  and map account with multiple roles - as for single user we have two records 

 

 

srinath
Regular Contributor
Regular Contributor

Job running continuously

{
"accountParams": {
"connection": "ConnAuth",
"processingType": "SequentialAndIterative",
"successResponses": {
"statusCode": [
200
]
},
"unsuccessResponses": null,
"statusAndThresholdConfig": {
"statusColumn": "customproperty11",
"activeStatus": [
"true"
],
"deleteLinks": false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
},
"call": {
"ImportHumatrixTHAccount": {
"callOrder": 0,
"stageNumber": 0,
"connection": "ConnAuth",
"http": {
"url": "https://xxxxx",
"httpHeaders": {
"Content-Type": "application/json",
"Authorization": "Basic SFhTYXZpeW50X1VBVDo3Y2M2MGM5ZWJkZDdlOTFjMjViMW"
},
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"APIName\":\"UserRoleMapping\",\"PartnerID\":\"HX_SV_API\"}"
},
"listField": "respond_data",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "account_name~#~char",
"name": "account_name~#~char",
"customproperty12": "roleid~#~char",
"customproperty13": "rolename~#~char",
"customproperty11": "activestatus~#~char",
"status": "activestatus~#~char",
"customproperty31": "STORE#ACC#ENT#MAPPINGINFO~#~char"
}

}

}

},
"entitlementParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Roles": {
"entTypeOrder": 0,
"call": {
"importHmxRoles": {
"connection": "ConnAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://xxxx",
"httpHeaders": {
"Content-Type": "application/json",
"Authorization": "Basic SFhTYXZpeW50X1VBVDo3Y2M2MGM5ZWJkZDdlOTFjMjViMW"
},
"httpParams": "{\"APIName\":\"RoleMaster\",\"PartnerID\":\"HX_SV_API\",\"ConditionType\":\"manual\"}",
"httpMethod": "POST",
"httpContentType": "application/json"
},
"statusConfig": {
"active": "true",
"inactive": "false"
},
"listField": "respond_data",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "roleid~#~char",
"entitlement_value": "roleid~#~char",
"customproperty1": "rolenamel~#~char",
"customproperty2": "rolenamei~#~char",
"customproperty3": "roletype~#~char",
"customproperty4": "conditiontype~#~char",
"customproperty5": "active~#~char",
"description": "rolenamel~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},

"acctEntParams": {
"connection": "ConnAuth",
"entTypes": {
"Roles": {
"call": {
"call1": {
"processingType": "httpEntToAcct",
"http": {
"url": "https://xxxxx",
"httpHeaders": {
"Content-Type": "application/json",
"Authorization": "Basic SFhTYXZpeW50X1VBVDo3Y2M2MGM5ZWJkZDdlOTFjM"
},
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"APIName\":\"UserRoleMapping\",\"PartnerID\":\"HX_SV_API\",\"Account_Name\":\"${user.employeeid}\"}"
},
"listField": "respond_data",
"entIdPath": "roleid",
"entKeyField": "entitlementID",
"acctIdPath": "account_name",
"acctKeyField": "accountID",

}
}
}
}
}
}

Share JSON used here


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak ,

I already shared JSON . Even i am attaching the JSON here. Please let me if this can help

Change Processing Type "processingType": "httpEntToAcct", to SequentialAndIterative and also specify ${id} in URL


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak : What would be the {id}  there is no API with {id} parameter call on application side.

 

Can you post some example here?

Does API supports pulling data with filter based on account /Entitlement ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushikesh,

We have API but when we send account name under body, it gives response as below

REquest: 

curl --location --request POST 'https:/ \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic SFhTYXZpeW50X1VBVDo3Y2M2M' \
--data-raw '{
  "APIName":"UserRoleMapping",
  "PartnerID":"HX_SV_API",
   "Account_Name""12353"
}'
 
Response:
 
{
    "message_type""S",
    "message": [
        {
            "message_code""SUC00004",
            "message_type""S",
            "message_desc""Data processed successfully."
        }
    ],
    "respond_data": [
        {
            "account_name""12353",
            "activestatus"true,
            "roleid""BP",
            "rolename""Business "
        },
        {
            "account_name""12353",
            "activestatus"true,
            "roleid""ANM",
            "rolename""Ann"
        }
    ]
}

srinath
Regular Contributor
Regular Contributor

Any chance to validate?

srinath
Regular Contributor
Regular Contributor

Can anyone from Saviynt help on this issue as i just need some clue how i can reconcile multiple roles with same account using import json.

On application there is no seperate API to do reconcilation.

srinath
Regular Contributor
Regular Contributor

Any help or inputs on the query?

srinath
Regular Contributor
Regular Contributor

Can someone help to find solution for this case, whether is it achievable or not

Dave
Community Manager
Community Manager

Hi @srinath - I don't have the knowledge to help here, but after reading the thread I'm curious - What question/problem are you still trying to get answered?  It appears that rushikeshvartak helped you quite a bit. 

srinath
Regular Contributor
Regular Contributor

Hi Dave,

I am looking for help to map user account with entitlement mapping. Application side there is no seperate API to reconcile account with entitlements.

As of now they have two API one is to pull users information and other is to get roles.

We are able to pull roles and users but account to role mapping with single role it is happening but single user having multiple roles associated in the below

 

We have API but when we send account name under body, it gives response as below

REquest: 

curl --location --request POST 'https:/ \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic SFhTYXZpeW50X1VBVDo3Y2M2M' \
--data-raw '{
  "APIName":"UserRoleMapping",
  "PartnerID":"HX_SV_API",
   "Account_Name""12353"
}'
 
Response:
 
{
    "message_type""S",
    "message": [
        {
            "message_code""SUC00004",
            "message_type""S",
            "message_desc""Data processed successfully."
        }
    ],
    "respond_data": [
        {
            "account_name""12353",
            "activestatus"true,
            "roleid""BP",
            "rolename""Business "
        },
        {
            "account_name""12353",
            "activestatus"true,
            "roleid""ANM",
            "rolename""Ann"
        }
    ]
}
 
So, I need help whether Saviynt can do account to multiple role association or not in this case.

Try using custom jar connector if application team can’t change api s


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi Rushi,

Do there any link for the same type to work with jars?

KirtiAjrot
Saviynt Employee
Saviynt Employee

hi Srinath ,

The requirement you have posted is not something currently supported by Saviynt REST connector.

As per the logic, the import should bring the account - role association in the CP31.. but in this case, every time the same account is found with a new Role.. the CP31 will be overwritten and only the last value will be stored.

you should try checking if the API team can change the response to send account details along with an array of Roles he has. you would be able to work with that.

KA

srinath
Regular Contributor
Regular Contributor

Hi Kirti,

Thanks for information,

But if the response is in below format will REST API connector reconcile all entitlements to the account

"respond_data": [
{
"account_name": "12353",
"activestatus": true,
"roleid": "BP,PB"
},
I mean comma seperated with multiple roles?

Yes @srinath , that is possible.

Usually , you will not receive it as comma separated , but as an arraylist, which can be translated via the OOTB REST connector in Saviynt.

KA

srinath
Regular Contributor
Regular Contributor

Thank Kirti @KirtiAjrot , Do there any particular document or link where i can refer

https://saviynt.freshdesk.com/support/solutions/articles/43000521736-rest-connector-guide%C2%A0


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.