Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/02/2023 12:29 AM - edited 06/02/2023 05:58 AM
Hi all,
We have a requirement to auto provision the AD ADMIN accounts whenever the ServiceNow ADM Catalog items are imported as accounts to Saviynt.
We are making use of the Saviynt CreateAccountRequest REST API to submit the new account request. We have an Auto-Approval workflow attached to the Security System (Active Directory) to auto-approve such create account requests. Through Postman we are able to submit New Account Request and Task is created in Saviynt. But when trying the same in Saviynt, task is not generating.
Below is the ImportAccntEntJson we have configured:
{
"accountParams": {
"connection": "snowAuth",
"processingType": "SequentialAndIterative",
"successResponses": {
"statusCode": [
200
]},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://xxxxx.service-now.com/api/now/table/u_adm_accounts_management/023fe9441b544dd08dc80e5fe54bcb...",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201
]
},
"httpMethod": "GET"
},
"listField": "result",
"keyField": "accountID",
"statusConfig": {
"active": "Active",
"inactive": "Inactive"
},
"colsToPropsMap": {
"accountID": "u_employee_id~#~char",
"name": "u_employee_name~#~char",
"displayname": "u_employee_name~#~char",
"status": "u_status~#~char",
"customproperty1": "u_adm_id~#~char",
"customproperty2": "u_source~#~char",
"customproperty3": "u_require_azure_ad_access~#~char",
"customproperty4": "sys_id~#~char",
"customproperty5": "sys_updated_by~#~char",
"customproperty6": "u_manager~#~char",
"customproperty7": "sys_created_by~#~char",
"customproperty8": "u_review_date~#~char"
}
},
"call2": {
"connection": "ssmAuth",
"callOrder": 1,
"stageNumber": 3,
"http": {
"url": "https://xxxxxx.saviyntcloud.com/ECM/api/v5/createrequest",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204
]
},
"unsuccessResponses": {
"statusCode": [400, 403, 401, 404, 409, 501, 500]
},
"httpMethod": "POST",
"httpParams": "{\"requesttype\": \"NEW\",\"username\": \"${'c'+(account.accountID)}\",\"endpoint\": \"Active Directory\",\"securitysystem\": \"Active Directory\",\"comments\": \"AD admin account request\",\"accountname\": \"${account.customproperty1}\",\"requestor\": \"${account.customproperty7}\",\"checksod\": \"true\"}"
},
"inputParams": {
"dependentCall": true
}
}
}
},
"entitlementParams": {},
"acctEntParams": {}
}
We have added the "dependentCall" parameter and callOrder, stageNumber is also configured properly.
Currently, we are importing only one account(catalog item) from Servicenow and trying to create the New AD Account Request for that catalog item. We are passing the values received in call1 response to call2 by using (account.accountID", "account.customproperty1..etc)
We tried hardcoding the values like below since we are importing only one catalog item for now.
"httpParams": "{\"requesttype\": \"NEW\",\"username\": \"c056155\",\"endpoint\": \"Active Directory\",\"securitysystem\": \"Active Directory\",\"comments\": \"AD admin account request\",\"accountname\": \"adm056155\",\"requestor\": \"a423767\",\"checksod\": \"true\"}"
Even With hardcoded values it is not working and CreateAccount task is not getting created.
Please guide is this a feasible option. Is it something that Saviynt doesn't support and that's why it is not working? How else can we achieve our requirement then?
Thanks.
06/04/2023 11:21 PM
Hi
To use the createRequest API, please verify that a proper workflow has been set up in the corresponding Security System. If you still face any issues, I will recommend trying the same API through Postman first and see if you are able to submit the request successfully.
06/05/2023 12:44 AM - edited 06/05/2023 12:49 AM
We have an auto approval workflow attached to the Security System. Through Postman we are able to call the createRequestAPI and Task is generated in Saviynt.
06/07/2023 08:02 AM
Hi,
The second call(The Saviynt API call) is not at all being called. We cannot see this call being made in the logs. The call1 (for Service Now Account) is being made and is success.
The job shows status as Success. Even though the call2 is not being called.
Are we missing something here?. I cannot find any issue in the ImportAccntEntJson. Why is this call not being made?.
Please guide.
06/08/2023 01:14 AM
06/08/2023 06:24 AM
We tried this json. We are getting a 401 error now for call2(SSM API call) . call1(SNOW API call) is working. Job is showing failure.
I think that we are getting this unauthorized error because of the reason you mentioned. REST Connector does not support different authentication types for multiple calls in AccountParams.
Can you suggest any alternate way of achieving this?.
Thanks.
06/09/2023 01:38 AM
I will check and let you know @SinghAtul
06/15/2023 11:44 PM
Any updates on this?
06/16/2023 07:49 AM
Hi @SinghAtul
I checked the requirement and came up with a workaround using analytics. You can create actionable analytics that can detect new accounts in EIC and can perform actions on that for creating new account tasks for the Active Directory endpoint.
06/17/2023 11:12 AM
New account action is not supported by analytics
06/18/2023 10:24 PM
@khalidakhter @rushikeshvartak
Yes..I checked the same. I couldn't find an option to Create Account in the Action for Analytics.
06/20/2023 07:57 AM - edited 06/20/2023 10:41 AM
Sorry for the earlier suggestion and I agree that Saviynt does not support the capability to trigger New Account task from analytics. I will recommend to submit this idea in Saviynt's Ideas portal that can be picked as a future enhancement.
However, the other workaround will be a little complex approach as below:
1. You need to use SavforSav to update those users' custom property for which a new account should get triggered for an endpoint.
2. Create a Technical Rule to trigger the New Account task based on the user field value.
06/20/2023 10:05 AM
This seems achievable. However I am having hard time configuring the Saviynt4Saviynt Connector.
I have setup the Saviynt4Saviynt DB connector. In order to modify the user's custom property what should I use..the UpdateUserJson or MODIFYUSERDATAJSON?.
Also, for the UserImport I am using the below JSON:
<dataMapping>
<sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
<![CDATA[SELECT users.username as UName,
users.employeeid as UEmployeeId
from users]]>
</sql-query>
<importsettings>
<zeroDayProvisioning>false</zeroDayProvisioning>
<generateEmail>false</generateEmail>
<userNotInFileAction>NOACTION</userNotInFileAction>
<checkRules>true</checkRules>
<buildUserMap>false</buildUserMap>
<generateSystemUsername>false</generateSystemUsername>
<userOperationsAllowed>UPDATE</userOperationsAllowed>
<userReconcillationField>username</userReconcillationField>
</importsettings>
<mapper description="This is the mapping field for Saviynt Field name">
<mapfield saviyntproperty="username" sourceproperty="UName" type="character"></mapfield>
<mapfield saviyntproperty="employeeid" sourceproperty="UEmployeeId" type="character"></mapfield>
</mapper>
</dataMapping>
Does this seem OK?.
For MODIFYUSERDATAJSON I am using below:
{
"ADDITIONALTABLES": {
"USERS": "SELECT EMPLOYEEID FROM users",
"ACCOUNTS": "SELECT ACCOUNTID FROM accounts WHERE ENDPOINTKEY = 6"
},
"COMPUTEDCOLUMNS": [
"customproperty60"
],
"PREPROCESSQUERIES": [
"UPDATE NEWUSERDATA LEFT JOIN CURRENTUSERS ON NEWUSERDATA.EMPLOYEEID = CURRENTUSERS.EMPLOYEEID LEFT JOIN CURRENTACCOUNTS ON NEWUSERDATA.EMPLOYEEID = CURRENTACCOUNTS.ACCOUNTID SET NEWUSERDATA.customproperty60 = 1"
]
}
Can you please check the JSONs once?.
Thanks.
06/20/2023 10:38 PM
Hi @SinghAtul
If I understand your requirement correctly, you're trying to set Customproperty60 for all users who doesn't have an account (endpointkey=6). Is that correct? If yes, please use the below query in the userimportxml and you wouldn't require inline pre-processor. Sharing the updated XML below. Please let me know if this helps
<dataMapping>
<sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
<![CDATA[SELECT u.username as UName,u.employeeid as UEmployeeId,'1' as cp60 from users u where u.userkey not in (select accountkey from user_accounts where accountkey in (select accountkey from accounts where endpointkey=6))]]>
</sql-query>
<importsettings>
<zeroDayProvisioning>false</zeroDayProvisioning>
<generateEmail>false</generateEmail>
<userNotInFileAction>NOACTION</userNotInFileAction>
<checkRules>true</checkRules>
<buildUserMap>false</buildUserMap>
<generateSystemUsername>false</generateSystemUsername>
<userOperationsAllowed>UPDATE</userOperationsAllowed>
<userReconcillationField>username</userReconcillationField>
</importsettings>
<mapper description="This is the mapping field for Saviynt Field name">
<mapfield saviyntproperty="username" sourceproperty="UName" type="character"></mapfield>
<mapfield saviyntproperty="employeeid" sourceproperty="UEmployeeId" type="character"></mapfield>
<mapfield saviyntproperty="customproperty60" sourceproperty="cp60" type="character"></mapfield>
</mapper>
</dataMapping>
07/04/2023 11:39 AM
Hi @naveenss ,
Thanks for the suggestion.
Is it possible to use multiple select statements in the above example?.
Like:
<![CDATA[SELECT (case when a.status='1' then '1' when a.status='2' then '0' else '3' end) as cp58 from users u inner join accounts a on u.employeeid = a.accountid and a.endpointkey=6]]>
<![CDATA[SELECT (case when b.status='1' then '1' when b.status='2' then '0' else '3' end) as cp59 from users u inner join accounts b on u.employeeid = b.customproperty6 and b.endpointkey=2]]>
Thanks,
Atul Singh
07/04/2023 12:10 PM
Use union
07/05/2023 02:35 AM
Hi @SinghAtul ,
No. you cannot use multiple select statements in a single XML. As mentioned by rushikesh, you can use union and combine the results of both the queries to form one result set.