Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

'Add Access' tasks for Entitlements not generated on Bulk CSV import of Role to User Association

ReshamDas
New Contributor II
New Contributor II

Hi,

We are trying to bulk import users to enterprise roles using the .csv import 'Upload Role Association' feature on Identity Repository > Roles page. PFA Role_User_Association_Import_TEST_1.csv for the CSV file used in this import, and Role-Entitlement Association.png for the role-to-entitlement mapping for the role on which user is attempted to be mapped in bulk.

On import, the tasks for 'Add Access' to the entitlements underlying the role (and 'New Account' task in case user does not have account for the particular endpoint to which the entitlements are associated), are not getting generated. As a result of this issue, users in the CSV file are not getting mapped to the underlying entitlements (PFA User_Not_Mapped_To_Underlying_Entitlement.png), but they are getting mapped to the role directly, as they are displayed in the 'Users' tab inside the said role (PFA User_Mapped_To_Role.png).

When we do manual 'Add User' on the same enterprise role, it is working fine, with creation of tasks for mapping of entitlements to the user accounts executed first, and only on completion of all those tasks, the user is getting mapped to the role. However, as explained above, this flow does not work on the bulk csv import process in our environment.

Kindly suggest.

Regards,

Resham Das

15 REPLIES 15

pmahalle
All-Star
All-Star

Hi @ReshamDas 

What type of Role you are uploading through CSV? If it's application role, follow below process:

Do not associate roles to user using CSV which will not retrofit the roles, so not add assignedfromrole and assignedfromroles  columns in account_entitlments1.

Instead of that, use bulk upload option using below steps.

1. Navigate to Request Home --> Request Access for Others - Multi Users -->Actions -->Bulk Upload Request.

2. Browse and attach the excel file

3. Select "What type of request do you want to upload?" : Access

4. Click Run Now.

Note: I have attached the sample file here, update with your details and don't change the format while saving.

pmahalle_0-1690210709741.png

 

 


Pandharinath Mahalle(Paddy)
If this reply answered your question, please Accept As Solution to help other who may have a same problem. Give Kudos 🙂

ReshamDas
New Contributor II
New Contributor II

Hi @pmahalle,

We are using enterprise roles with entitlements embedded from multiple endpoints. Kindly suggest.

@ReshamDas , Enterprise role assignment is not supported using above mentioned approach.

Can you try with addrole API:

{{url}}/ECM/{{path}}/addrole

Refer:

https://documenter.getpostman.com/view/1797923/RWaLwo21#140feb81-cc65-4090-baf0-66af64b0c895


Pandharinath Mahalle(Paddy)
If this reply answered your question, please Accept As Solution to help other who may have a same problem. Give Kudos 🙂

ReshamDas
New Contributor II
New Contributor II

Hi @pmahalle,

The 'Add Role' API is working fine, generating the desired tasks for underlying entitlement association for the one user-to-role map data passed in the JSON. Kindly suggest how this can be used for bulk user-to-role mapping (Eg.:- 500+ user-to-role data).

Hi @ReshamDas ,

You can create utility using java code to execute the same for all the users.

You can iterate api for all user as required.


Pandharinath Mahalle(Paddy)
If this reply answered your question, please Accept As Solution to help other who may have a same problem. Give Kudos 🙂

naveenss
All-Star
All-Star

@ReshamDas for bulk user assignment you can use "request access for other-multi user" feature to upload the file with user-role mapping. 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

ReshamDas
New Contributor II
New Contributor II

Hi @naveenss,

I tried the process 'Request Access for Others - Multi User' feature for role request as per steps mentioned in the documentation here (Section: Procedure for Requesting for Access or Roles). PFA the .xls file containing the user-role mapping data that was uploaded, and the Bulk_Request_Final_Step_Message.png file that shows the message I am getting after upload.

However, the user-to-role map data uploaded in this .xls file neither gets reflected in the Roles page, nor any tasks are created for underlying entitlement mapping for these users.

@ReshamDas looks like the xls file you have used is incorrect. Can you please try with the attached format?

Also, please make sure you have attached the workflow (preferably the auto approval workflow) under Global configurations > Request > Bulk > Auto Approve Workflow for Multiuser request upload

 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

ReshamDas
New Contributor II
New Contributor II

Hi @naveenss,

Thank you for the solution provided. The auto approval workflow on Global configurations > Request > Bulk > Auto Approve Workflow for Multiuser request upload was not enabled, hence the tasks were not getting created post Excel upload from ARS Multi User Access Request page.

Once I enabled it from Global Configuration, it worked perfectly, triggering entitlement add tasks, completing which added the user to the role.

Thank you @rushikeshvartak for confirming that user-to-role association does not work properly from the Admin (Roles) page on bulk csv import. As per guidance of Naveen, I have been able to achieve the goal using ARS Multi User File Upload.

@ReshamDas Uploading via Admin for role user mapping for enterprise roles does not works as expected.

https://ideas.saviynt.com/ideas/EIC-I-4841

As a alternative, you need to raise request from ARS - Multi User File Upload for role


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

timchengappa
Saviynt Employee
Saviynt Employee

Hi @ReshamDas @pmahalle 

Please refer to my comment in the post below...
With the "upload Role Associations" functionality, tasks are getting created as expected(tasks with the status "No Action Required" in case the entitlements in the role are already assigned to an account. The 'AssignedFromRoles' column in the 'account_entitlements1'  table is also populated with the respective role keys...You can also find a sample .csv file in my response as well...

https://forums.saviynt.com/t5/identity-governance/repair-role-retrofit-to-user-mapping-feature-not-u...

Hi @rushikeshvartak 
Are you facing any challenges specifically if the 'accountkey' is not populated in the 'role_user_account' table? I tested removing a role and 'remove access' tasks are also being created as expected for all the entitlements in the role.

Refer : https://saviynt.freshdesk.com/support/tickets/1636095


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @timchengappa,

I attempted to import the role-user association data through "Upload Role Associations" with the attached csv file, in lines to the sample file you shared in your comment.

However, even after importing it, the tasks for entitlement add was not created in 'Pending Tasks' or ' Completed Tasks'. Just the user got mapped to the role.

timchengappa
Saviynt Employee
Saviynt Employee

Thanks for the validation @ReshamDas.

In your case, did the user already have an account in each of the endpoints prior to uploading the roles? (accounts in endpoints from which each of the entitlements in the role are defined)

Hi @timchengappa,

Yes, the user already had accounts in each endpoints prior to uploading the roles. PFA Bulk_User_Role_Association_User_Accounts.png that displays all the roles this REST_Test_1 user has currently. However, PFA Bulk_User_Role_Association_User_Account_Entitlements.png that shows that none of these accounts are mapped to the corresponding entitlements that was mentioned and uploaded through the attached .csv file (PFA Role_User_Association_import_TEST_3.csv).