Click HERE to see how Saviynt Intelligence is transforming the industry. |
11/18/2022 02:55 PM
Hi All,
We are planning to implement service account management and our requirement is during creation/modification if service account owner himself is submitting the request we need to skip the approval.
To pick the service account owner from request attributes we are using custom assignment block and using the same query which is mentioned in document https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components#WorkflowCom...
select userkey from users where FIND_IN_SET(users.userkey,(select distinct REPLACE(raa.attribute_value," ","")
from request_access_attrs raa , ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and
ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey=${ARSREQUEST.id} and raa.ATTRIBUTE_NAME="USEROWNERKEY"))!=0
But, if the owner himself is raising a request then approval is going to admin using above logic. Is there anyway we can handle this scenario and make it auto approve?
Solved! Go to Solution.
11/18/2022 06:32 PM
Use query from below forum
11/21/2022 07:17 AM
Thanks @rushikeshvartak for referring the thread.
From the above thread I picked this below format
com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).employeeType == 'Employee'
and modified to our requirement accordingly as below and trying to use it in if-else block
com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)
But still I believe this condition will work only if there is only owner. What if there are multiple owners added of same Rank or of different rank? In that case how can we handle this?
What we are trying to achieve is we only want to auto approve the request if Rank 1 owner is submitting the request if any others are submitting it still has to go through regular approval.
11/21/2022 07:46 AM
Add one more if-else block before auto approve check to check rank of requestor
11/21/2022 08:30 AM
Yeah problem is how to pull the rank of the owner? Anyway I will try to figure it out. First let me try above condition and see if that works
11/21/2022 08:54 AM
You need to use substring in that case column name : USERRANKJSON
11/21/2022 09:00 AM
Get Service Account Owner using Custom query
select owneruserkey as 'userkey' from accountowners where accountkey = (select distinct REPLACE(raa.attribute_value,' ','') from request_access_attrs raa, ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey =${ARSREQUEST.id} and raa.ATTRIBUTE_NAME='Accountkey') and owneruserkey is not null
11/21/2022 09:16 AM
I can use query only if account already exists, But during creation of service account I need to pull USERRANKJSON data as you mentioned but not sure if substring is supported in if-else block. But I will give it a try.
Before that I am not able to use the parameter as below
com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)
Getting below error:
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - gotoapproveonly - false, leftItemlist - 0\n","stream":"stdout","time":"2022-11-21T16:58:16.292754269Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - 4c8306fd-aa6c-4346-8a50-3551f4b7f057\n","stream":"stdout","time":"2022-11-21T16:58:16.292779864Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - REMOVING Current AE - false\n","stream":"stdout","time":"2022-11-21T16:58:16.292783205Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - leftItemlist Size = 0 CurTask=Task(Manager_Approval)\n","stream":"stdout","time":"2022-11-21T16:58:16.292785712Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - Action taken on all items in request approval. proceed.\n","stream":"stdout","time":"2022-11-21T16:58:16.292788339Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - 0\n","stream":"stdout","time":"2022-11-21T16:58:16.292790925Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,298 [http-nio-8080-exec-17] DEBUG println.PrintlnToLogger - Println :: listofEntitlement new= []\n","stream":"stdout","time":"2022-11-21T16:58:16.298447634Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,300 [http-nio-8080-exec-17] DEBUG services.WorkflowService - Before Approving Task Approved By Manager_Approvaladmin curTask=Task(Manager_Approval)Params[xtaskid:1610266, xAccessApproverKey:1745898, xstatus:2, roleHistoryId:0, xcomments:, usertoapprove:admin]\n","stream":"stdout","time":"2022-11-21T16:58:16.300335329Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,307 [http-nio-8080-exec-17] DEBUG services.WorkflowService - ERROR Approving Task Approved By Manager_Approvaladmin curTask=Task(Manager_Approval)Params[xtaskid:1610266, xAccessApproverKey:1745898, xstatus:2, roleHistoryId:0, xcomments:, usertoapprove:admin]\n","stream":"stdout","time":"2022-11-21T16:58:16.308013091Z"
2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,308 [http-nio-8080-exec-17] ERROR services.WorkflowService - Error while completing task - 1610266 storing it in JBPM Retry Table\n","stream":"stdout","time":"2022-11-21T16:58:16.308915512Z"
2022-11-21T11:58:17-05:00-ecm-"log":"javax.el.PropertyNotFoundException: Cannot resolve identifier 'com'\n","stream":"stdout","time":"2022-11-21T16:58:16.308928599Z"
11/21/2022 09:22 AM
Hope you selected language as groovy (from select expression)
11/21/2022 09:43 AM
Yeah @rushikeshvartak I did. Nevermind about above error looks like I picked old instance of logs. I can confirm that above expression is working. Let me introduce now Rank condition and see how it works.
11/23/2022 12:04 PM
Able to achieve the requirement with below two conditions. For my use case used 2nd option to achieve it which will check if requested by user is Rank 1 Owner in list of available owners
com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)
String.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USERRANKJSON')).replaceAll('"','').split(String.valueOf(requestedby.id))[1].substring(1,2)=='1'
02/27/2023 09:49 AM
Hi Saathvik.
I have a similar use case, but we are not including the rank. The workflow includes the following check:
It works for the following cases:
1. Requester == Owner AND no other owner is defined
2. Requester IS NOT Owner AND different owners are defined
It does not work for the following case:
Requester == Owner and other Owners are defined. Getting the following error:
Do you have a hint for that issue? Thanks!
02/27/2023 10:39 AM
USEROWNERKEY is a comma separated value when you assign multiple owners. Hence it is not working with multiple owners use case with the condition you have used, If you have multiple owner use case then you have to change the logic accordingly.
Try below logic
(com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)) or (String.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY')).contains(',' + String.valueOf(requestedby.id))) or (String.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY')).contains( String.valueOf(requestedby.id) + ','))
02/27/2023 11:33 PM
thanks for the prompt response.
thanks for the hint, I've added the logic to the if-else block, but the error remains the same.
any other thing I could've missed?
02/28/2023 06:33 AM
Where exactly you are getting this error? I mean at what step you are seeing this error?
02/28/2023 06:42 AM
During the setup it is fine. I'm getting the error after I submit the request. So whenever the workflow would start. As stated, this only happens in the case, when Requester == Owner and other Owners are defined.
02/28/2023 07:09 AM
If I understand correctly, You are getting error on UI once you click on submit right?
I assume request ID is not generated as well right?
If so it requires more troubleshooting why it is failing. Generally if there is an issue with WF you don't see any error in UI instead you it will not generate any request ID. But your case it is little different.
So need to analyze the logs to better understand the issue