Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Auto approve if service account owner is submitting a request either for creation or modification

Saathvik
All-Star
All-Star

Hi All,

We are planning to implement service account management and our requirement is during creation/modification if service account owner himself is submitting the request we need to skip the approval.

To pick the service account owner from request attributes we are using custom assignment block and using the same query which is mentioned in document https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components#WorkflowCom...

select userkey from users where FIND_IN_SET(users.userkey,(select distinct REPLACE(raa.attribute_value," ","")
from request_access_attrs raa , ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and
ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey=${ARSREQUEST.id} and raa.ATTRIBUTE_NAME="USEROWNERKEY"))!=0

But, if the owner himself is raising a request then approval is going to admin using above logic. Is there anyway we can handle this scenario and make it auto approve?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
16 REPLIES 16

rushikeshvartak
All-Star
All-Star

Use query from below forum

https://forums.saviynt.com/t5/application-access-governance/service-account-integration-queries/m-p/...


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saathvik
All-Star
All-Star

Thanks @rushikeshvartak for referring the thread.

From the above thread I picked this below format

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).employeeType == 'Employee'

and modified to our requirement accordingly as below and trying to use it in if-else block

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)

But still I believe this condition will work only if there is only owner. What if there are multiple owners added of same Rank or of different rank? In that case how can we handle this?

What we are trying to achieve is we only want to auto approve the request if Rank 1 owner is submitting the request if any others are submitting it still has to go through regular approval.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Add one more if-else block before auto approve check to check rank of requestor


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Yeah problem is how to pull the rank of the owner? Anyway I will try to figure it out. First let me try above condition and see if that works


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

You need to use substring in that case column name : USERRANKJSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Get Service Account Owner using Custom query

select owneruserkey as 'userkey' from accountowners where accountkey = (select distinct REPLACE(raa.attribute_value,' ','') from request_access_attrs raa, ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey =${ARSREQUEST.id} and raa.ATTRIBUTE_NAME='Accountkey') and owneruserkey is not null


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

I can use query only if account already exists, But during creation of service account I need to pull USERRANKJSON data as you mentioned but not sure if substring is supported in if-else block. But I will give it a try.

Before that I am not able to use the parameter as below

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)

Getting below error:

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - gotoapproveonly - false, leftItemlist - 0\n","stream":"stdout","time":"2022-11-21T16:58:16.292754269Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - 4c8306fd-aa6c-4346-8a50-3551f4b7f057\n","stream":"stdout","time":"2022-11-21T16:58:16.292779864Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - REMOVING Current AE - false\n","stream":"stdout","time":"2022-11-21T16:58:16.292783205Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - leftItemlist Size = 0 CurTask=Task(Manager_Approval)\n","stream":"stdout","time":"2022-11-21T16:58:16.292785712Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - Action taken on all items in request approval. proceed.\n","stream":"stdout","time":"2022-11-21T16:58:16.292788339Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,292 [http-nio-8080-exec-17] DEBUG services.WorkflowService - 0\n","stream":"stdout","time":"2022-11-21T16:58:16.292790925Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,298 [http-nio-8080-exec-17] DEBUG println.PrintlnToLogger - Println :: listofEntitlement new= []\n","stream":"stdout","time":"2022-11-21T16:58:16.298447634Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,300 [http-nio-8080-exec-17] DEBUG services.WorkflowService - Before Approving Task Approved By Manager_Approvaladmin curTask=Task(Manager_Approval)Params[xtaskid:1610266, xAccessApproverKey:1745898, xstatus:2, roleHistoryId:0, xcomments:, usertoapprove:admin]\n","stream":"stdout","time":"2022-11-21T16:58:16.300335329Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,307 [http-nio-8080-exec-17] DEBUG services.WorkflowService - ERROR Approving Task Approved By Manager_Approvaladmin curTask=Task(Manager_Approval)Params[xtaskid:1610266, xAccessApproverKey:1745898, xstatus:2, roleHistoryId:0, xcomments:, usertoapprove:admin]\n","stream":"stdout","time":"2022-11-21T16:58:16.308013091Z"

2022-11-21T11:58:17-05:00-ecm-"log":"2022-11-21 16:58:16,308 [http-nio-8080-exec-17] ERROR services.WorkflowService - Error while completing task - 1610266 storing it in JBPM Retry Table\n","stream":"stdout","time":"2022-11-21T16:58:16.308915512Z"

2022-11-21T11:58:17-05:00-ecm-"log":"javax.el.PropertyNotFoundException: Cannot resolve identifier 'com'\n","stream":"stdout","time":"2022-11-21T16:58:16.308928599Z"

Attached full logs

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Hope you selected language as groovy (from select expression)


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Yeah @rushikeshvartak I did. Nevermind about above error looks like I picked old instance of logs. I can confirm that above expression is working. Let me introduce now Rank condition and see how it works.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Saathvik
All-Star
All-Star

Able to achieve the requirement with below two conditions. For my use case used 2nd option to achieve it which will check if requested by user is Rank 1 Owner in list of available owners

com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)

String.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USERRANKJSON')).replaceAll('"','').split(String.valueOf(requestedby.id))[1].substring(1,2)=='1'


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Alex
Regular Contributor
Regular Contributor

Hi Saathvik.

I have a similar use case, but we are not including the rank. The workflow includes the following check:

Alex_0-1677519936688.png

It works for the following cases:

1. Requester == Owner AND no other owner is defined
2. Requester IS NOT Owner AND different owners are defined

It does not work for the following case:
Requester == Owner and other Owners are defined. Getting the following error:

Alex_3-1677520169724.png

Do you have a hint for that issue? Thanks!

USEROWNERKEY is a comma separated value when you assign multiple owners. Hence it is not working with multiple owners use case with the condition you have used, If you have multiple owner use case then you have to change the logic accordingly. 

Try below logic 

(com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username == (requestedby.username)) or (String.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY')).contains(',' + String.valueOf(requestedby.id))) or (String.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY')).contains( String.valueOf(requestedby.id) + ','))


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Alex
Regular Contributor
Regular Contributor

thanks for the prompt response.

thanks for the hint, I've added the logic to the if-else block, but the error remains the same. 
any other thing I could've missed?

Where exactly you are getting this error? I mean at what step you are seeing this error?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Alex
Regular Contributor
Regular Contributor

During the setup it is fine. I'm getting the error after I submit the request. So whenever the workflow would start. As stated, this only happens in the case, when Requester == Owner and other Owners are defined. 

If I understand correctly, You are getting error on UI once you click on submit right?

I assume request ID is not generated as well right?

If so it requires more troubleshooting why it is failing. Generally if there is an issue with WF you don't see any error in UI instead you it will not generate any request ID. But your case it is little different. 

So need to analyze the logs to better understand the issue

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.