Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AD Admin Account Provisioning through ServiceNow Catalog Items

SinghAtul
Regular Contributor
Regular Contributor

Hi all,

We have a requirement to auto provision the AD ADMIN accounts whenever the ServiceNow ADM Catalog items are imported as accounts to Saviynt.

We are making use of the Saviynt CreateAccountRequest REST API to submit the new account request. We have an Auto-Approval workflow attached to the Security System (Active Directory) to auto-approve such create account requests. Through Postman we are able to submit New Account Request and Task is created in Saviynt. But when trying the same in Saviynt, task is not generating.

Below is the ImportAccntEntJson we have configured:

{
"accountParams": {
"connection": "snowAuth",
"processingType": "SequentialAndIterative",
"successResponses": {
"statusCode": [
200
]},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://xxxxx.service-now.com/api/now/table/u_adm_accounts_management/023fe9441b544dd08dc80e5fe54bcb...",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201
]
},
"httpMethod": "GET"
},
"listField": "result",
"keyField": "accountID",
"statusConfig": {
"active": "Active",
"inactive": "Inactive"
},
"colsToPropsMap": {
"accountID": "u_employee_id~#~char",
"name": "u_employee_name~#~char",
"displayname": "u_employee_name~#~char",
"status": "u_status~#~char",
"customproperty1": "u_adm_id~#~char",
"customproperty2": "u_source~#~char",
"customproperty3": "u_require_azure_ad_access~#~char",
"customproperty4": "sys_id~#~char",
"customproperty5": "sys_updated_by~#~char",
"customproperty6": "u_manager~#~char",
"customproperty7": "sys_created_by~#~char",
"customproperty8": "u_review_date~#~char"
}
},
"call2": {
"connection": "ssmAuth",
"callOrder": 1,
"stageNumber": 3,
"http": {
"url": "https://xxxxxx.saviyntcloud.com/ECM/api/v5/createrequest",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204
]
},
"unsuccessResponses": {
"statusCode": [400, 403, 401, 404, 409, 501, 500]
},
"httpMethod": "POST",
"httpParams": "{\"requesttype\": \"NEW\",\"username\": \"${'c'+(account.accountID)}\",\"endpoint\": \"Active Directory\",\"securitysystem\": \"Active Directory\",\"comments\": \"AD admin account request\",\"accountname\": \"${account.customproperty1}\",\"requestor\": \"${account.customproperty7}\",\"checksod\": \"true\"}"
},
"inputParams": {
"dependentCall": true
}
}
}
},
"entitlementParams": {},
"acctEntParams": {}
}

We have added the "dependentCall" parameter and callOrder, stageNumber is also configured properly. 

Currently, we are importing only one account(catalog item) from Servicenow and trying to create the New AD Account Request for that catalog item. We are passing the values received in call1 response to call2 by using (account.accountID", "account.customproperty1..etc)

We tried hardcoding the values like below since we are importing only one catalog item for now.

"httpParams": "{\"requesttype\": \"NEW\",\"username\": \"c056155\",\"endpoint\": \"Active Directory\",\"securitysystem\": \"Active Directory\",\"comments\": \"AD admin account request\",\"accountname\": \"adm056155\",\"requestor\": \"a423767\",\"checksod\": \"true\"}"

Even With hardcoded values it is not working and CreateAccount task is not getting created.

Please guide is this a feasible option. Is it something that Saviynt doesn't support and that's why it is not working? How else can we achieve our requirement then?

Thanks.

 

 

16 REPLIES 16

khalidakhter
Saviynt Employee
Saviynt Employee

Hi

To use the createRequest API, please verify that a proper workflow has been set up in the corresponding Security System. If you still face any issues, I will recommend trying the same API through Postman first and see if you are able to submit the request successfully.

@khalidakhter 

We have an auto approval workflow attached to the Security System. Through Postman we are able to call the createRequestAPI and Task is generated in Saviynt.

SinghAtul_0-1685951355890.png

 

SinghAtul
Regular Contributor
Regular Contributor

@khalidakhter 

Hi,

The second call(The Saviynt API call) is not at all being called. We cannot see this call being made in the logs. The call1 (for Service Now Account) is being made and is success.

The job shows status as Success. Even though the call2 is not being called.

Are we missing something here?. I cannot find any issue in the ImportAccntEntJson. Why is this call not being made?.

Please guide.

khalidakhter
Saviynt Employee
Saviynt Employee

Hi

Currently, REST Connector does not support different authentication types for multiple calls in AccountParams.
However, you need to add nextAPIKeyField for iteration in the second call.

You can submit this requirement in our Ideas portal to take it as an enhancement.

SinghAtul
Regular Contributor
Regular Contributor

@khalidakhter 

We tried this json. We are getting a 401 error now for call2(SSM API call) . call1(SNOW API call) is working. Job is showing failure.

I think that we are getting this unauthorized error because of the reason you mentioned. REST Connector does not support different authentication types for multiple calls in AccountParams.

Can you suggest any alternate way of achieving this?.

Thanks.

khalidakhter
Saviynt Employee
Saviynt Employee

I will check and let you know @SinghAtul 

@khalidakhter 

Any updates on this?

khalidakhter
Saviynt Employee
Saviynt Employee

Hi @SinghAtul 

I checked the requirement and came up with a workaround using analytics. You can create actionable analytics that can detect new accounts in EIC and can perform actions on that for creating new account tasks for the Active Directory endpoint.

New account action is not supported by analytics


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@khalidakhter @rushikeshvartak 

Yes..I checked the same. I couldn't find an option to Create Account in the Action for Analytics.

khalidakhter
Saviynt Employee
Saviynt Employee

@SinghAtul 

Sorry for the earlier suggestion and I agree that Saviynt does not support the capability to trigger New Account task from analytics. I will recommend to submit this idea in Saviynt's Ideas portal that can be picked as a future enhancement.

However, the other workaround will be a little complex approach as below:
1.  You need to use SavforSav to update those users' custom property for which a new account should get triggered for an endpoint.
2. Create a Technical Rule to trigger the New Account task based on the user field value.

@khalidakhter 

This seems achievable. However I am having hard time configuring the Saviynt4Saviynt Connector.

I have setup the Saviynt4Saviynt DB connector. In order to modify the user's custom property what should I use..the UpdateUserJson or MODIFYUSERDATAJSON?.

Also, for the UserImport I am using the below JSON:

<dataMapping>

<sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">

<![CDATA[SELECT users.username as UName,

users.employeeid as UEmployeeId

from users]]>

</sql-query>

<importsettings>

<zeroDayProvisioning>false</zeroDayProvisioning>

<generateEmail>false</generateEmail>

<userNotInFileAction>NOACTION</userNotInFileAction>

<checkRules>true</checkRules>

<buildUserMap>false</buildUserMap>

<generateSystemUsername>false</generateSystemUsername>

<userOperationsAllowed>UPDATE</userOperationsAllowed>

<userReconcillationField>username</userReconcillationField>

</importsettings>

<mapper description="This is the mapping field for Saviynt Field name">

<mapfield saviyntproperty="username" sourceproperty="UName" type="character"></mapfield>

<mapfield saviyntproperty="employeeid" sourceproperty="UEmployeeId" type="character"></mapfield>

</mapper>

</dataMapping>

 

Does this seem OK?.

 

For MODIFYUSERDATAJSON I am using below:

{
"ADDITIONALTABLES": {
"USERS": "SELECT EMPLOYEEID FROM users",
"ACCOUNTS": "SELECT ACCOUNTID FROM accounts WHERE ENDPOINTKEY = 6"
},
"COMPUTEDCOLUMNS": [
"customproperty60"
],
"PREPROCESSQUERIES": [

"UPDATE NEWUSERDATA LEFT JOIN CURRENTUSERS ON NEWUSERDATA.EMPLOYEEID = CURRENTUSERS.EMPLOYEEID LEFT JOIN CURRENTACCOUNTS ON NEWUSERDATA.EMPLOYEEID = CURRENTACCOUNTS.ACCOUNTID SET NEWUSERDATA.customproperty60 = 1"

]


}

 

Can you please check the JSONs once?. 

Thanks. 

Hi @SinghAtul 

If I understand your requirement correctly, you're trying to set Customproperty60 for all users who doesn't have an account (endpointkey=6). Is that correct? If yes, please use the below query in the userimportxml and you wouldn't require inline pre-processor. Sharing the updated XML below. Please let me know if this helps

<dataMapping>
	<sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
		<![CDATA[SELECT u.username as UName,u.employeeid as UEmployeeId,'1' as cp60 from users u where u.userkey not in (select accountkey from user_accounts where accountkey in (select accountkey from accounts where endpointkey=6))]]>
	</sql-query>
	<importsettings>
		<zeroDayProvisioning>false</zeroDayProvisioning>
		<generateEmail>false</generateEmail>
		<userNotInFileAction>NOACTION</userNotInFileAction>
		<checkRules>true</checkRules>
		<buildUserMap>false</buildUserMap>
		<generateSystemUsername>false</generateSystemUsername>
		<userOperationsAllowed>UPDATE</userOperationsAllowed>
		<userReconcillationField>username</userReconcillationField>
	</importsettings>
	<mapper description="This is the mapping field for Saviynt Field name">
		<mapfield saviyntproperty="username" sourceproperty="UName" type="character"></mapfield>
		<mapfield saviyntproperty="employeeid" sourceproperty="UEmployeeId" type="character"></mapfield>
		<mapfield saviyntproperty="customproperty60" sourceproperty="cp60" type="character"></mapfield>
	</mapper>
</dataMapping>
Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

SinghAtul
Regular Contributor
Regular Contributor

Hi @naveenss ,

Thanks for the suggestion.

Is it possible to use multiple select statements in the above example?.

Like:

<![CDATA[SELECT (case when a.status='1' then '1' when a.status='2' then '0' else '3' end) as cp58 from users u inner join accounts a on u.employeeid = a.accountid and a.endpointkey=6]]>

<![CDATA[SELECT (case when b.status='1' then '1' when b.status='2' then '0' else '3' end) as cp59 from users u inner join accounts b on u.employeeid = b.customproperty6 and b.endpointkey=2]]>

 

Thanks,

Atul Singh

 

Use union


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @SinghAtul ,

No. you cannot use multiple select statements in a single XML. As mentioned by rushikesh, you can use union and combine the results of both the queries to form one result set.

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.