Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Account Name Generation Logic in SaviyntApp in SNOW

ravikumarghr
New Contributor II
New Contributor II

‎10/06/2023 07:06 AM

We have complex queries to generate unique account name for AD and other applications(Account name rule in endpoint).

When requesting using Saviynt ARS it works fine and generates unique account name as per the logic/code.

When requesting account from SaviyntApp in ServiceNow it simply copies the username of the user not really the account name rule as per the rule logic.

Is this can be configured in SaviyntApp in ServiceNow?

Labels:
0 Kudos
13 REPLIES 13

saikanumuri
Saviynt Employee
Saviynt Employee

‎10/12/2023 07:05 AM

Hi @ravikumarghr 

Thanks for reaching out. I am checking internally on this scenario and will get back to you asap.

0 Kudos

saikanumuri
Saviynt Employee
Saviynt Employee

‎11/21/2023 12:24 AM

Hi @ravikumarghr 

Apologies for the delay. Once the request is submitted on ServiceNowApp, the account name gets generated as per the logic defined in your Account Name Rule under the corresponding endpoint.  

Please let me know incase if you are seeing a different behavior and I can assist you in resolving the issue.

0 Kudos

Jari_K
New Contributor III
New Contributor III

‎11/30/2023 07:16 AM

Hi @saikanumuri 

We are seeing this same unexpected behavior also on other customer environment when requesting access from ServiceNow app to child endpoint which doesn't have account for the user.

New access task is created with new account task as well instead of using the account from the parent endpoint. Which I believe is caused by this issue that account name doesn't match to the one on parent because it uses username instead of the name defined by account name rule.

0 Kudos

Jari_K
New Contributor III
New Contributor III

‎11/30/2023 08:13 AM

Here is example how it looks like when requests are made using ARS and SaviyntApp for ServiceNow. Testuser arska.azure made request from ARS and reetta.requestor from SNOW app.

Account name rule works when request is made from Saviynt ARS but doesn't when request is made from ServiceNow.

Jari_K_0-1701360481666.png

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Jari_K

‎11/30/2023 09:28 PM

Can you try

rushikeshvartak_0-1701408511038.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Jari_K
New Contributor III
New Contributor III
In response to rushikeshvartak

‎11/30/2023 10:44 PM - edited ‎11/30/2023 10:57 PM

Yes, Parent Account Name Pattern has been "select" all the time.

Only other option is GLDAP which doesn't make sense when account name should be email format in our case. Don't know about original poster's issue. Tried with that as well but no luck.

Did some additional testing and created new request using Saviynt's createrequest API. When calling this API with Postman I can reproduce the issue. So it seems that for requests from API the account name rule is not applied and username is copied as account name.

Tested with v23.5 and v23.11 with request body:

{
    "requesttype""add",
    "username""demo.requestor",
    "endpoint" : "ChildEndpoint",
    "createnewaccounttaskifnotexist" : "TRUE",
    "roles": [
        {
            "rolename""Test application rolename",
            "businessjustification""Created by postman using createrequest API"
        }
    ],
    "comments""Request from postman"
}
 
Tested also with different endpoint that had simple account name rule to use just users email and same behavior with API. 
Jari_K_1-1701413806605.png

 

 Jari_K_0-1701413741265.png
0 Kudos

Jari_K
New Contributor III
New Contributor III

‎11/30/2023 11:55 PM - edited ‎11/30/2023 11:56 PM

Ok, did again more testing... with createrequest API it is possible to give parameter: accountnamefromrule - true/false to API call, when set to true account name rule is applied and request is created with correct name.

Seems that ServiceNow is generating the API call without that parameter. In SaviyntAccessRequestHelper script include there is a function addAppRolesRequest which creates the body for API call:

var body = {
"requesttype": "add",
"username": saviyntUserID,
"endpoint" : endpointName,
"createnewaccounttaskifnotexist" : "TRUE",
"roles" : requestRole,
"requestor": requesterUserID,
"comments": comments
};

And since that script cannot be modified the account name rule is not applied.

@saikanumuri Please advise how this can be worked around when requesting application roles? This will prevent us from using Saviynt App for requesting access and will postpone our go-live.

0 Kudos

flucas
Saviynt Employee
Saviynt Employee

‎12/01/2023 10:03 AM - last edited on ‎12/01/2023 10:14 AM by Community Manager

Hi @rushikeshvartak and @saikanumuri , could you review the comments? This is tagged as blocker by our customer in order to implement this release of SNow integration with EIC. Thanks in advance for checking it.

0 Kudos

saikanumuri
Saviynt Employee
Saviynt Employee

‎12/06/2023 12:06 PM

Hi @Jari_K ,

Thanks for the analysis. The script cannot be modified and I would recommend raising a request in the ideas portal.
https://ideas.saviynt.com/

However, as a workaround, you can import the ApplicationRoles as Enterprise roles using CSV upload or Sav4Sav and expose them to users to request from SnowApp so that the AccountName rule gets evaluated during the Enterprise role request.

0 Kudos

Jari_K
New Contributor III
New Contributor III
In response to saikanumuri

‎12/06/2023 12:29 PM

Hi,

Thanks for looking into the issue. But I really don't get it. There is a bug in Saviynt app for ServiceNow which you can reproduce and you still want us to raise an idea to possibly fix it somewhere in the future?

What comes to workaround, yes technically that is possible but not very user friendly. Enterprise roles are used as work roles and bringing in all application roles would drown the that single dropdown menu with too many options to be easy to use for end users.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Jari_K

‎12/06/2023 04:10 PM

As per current product design its working as expected hence it will be idea ticket. You can contact CSM to prioritize the idea. 

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Jari_K
New Contributor III
New Contributor III

‎12/06/2023 10:42 PM - edited ‎12/07/2023 03:13 AM

So it is not a bug but a feature that one of the ServiceNow forms does not apply account name rule of endpoint but other out of the box ServiceNow forms do when requesting access without existing account to the same endpoint?

For child endpoints this causes Saviynt to mismatch account with account in parent endpoint. Which in turn causes either creation of another account or failure of the provisioning task. For example, Azure AD with endpoint filters being used to create logical applications as child endpoints should use the same account as in parent endpoint. Now if the account name rule is not applied those accounts are not connected. Is that also intended?

Would really like to see that design also documented if that is intentional behavior. As it is now, there is no documentation what so ever about ServiceNow app not using account name rule which lets us think that account name should be used and if not the system is not working as expected.

0 Kudos

Darshanjain
Saviynt Employee
Saviynt Employee
In response to Jari_K

‎12/13/2023 03:05 AM

Hi @Jari_K 

This has been taken as enhancement from our internal product team.

 

Thanks

Darshan

0 Kudos
Copyright © 2024 Khoros, LLC