We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Cannot Setup Delegate via Manager SAV_ROLE

h_sapkota
Regular Contributor
Regular Contributor

Hi Team,

 

We have one requirement where Managers can setup delegate for himself only.
For this, we have used: For whom can the user setup delegate

h_sapkota_0-1706696708324.png

Now, We have provided all the access in Feature Access and Web Service Access for this Manager SAV ROLE.

h_sapkota_4-1706696902408.png               h_sapkota_3-1706696867732.png

Now, In the setup delegate page, Manager are able to see himself and select it for submitting the delegation request. But It throws Access denied error.

h_sapkota_6-1706697107179.png   h_sapkota_5-1706697023428.png

When we use ALL in For whom can the user setup delegate, It doesn't throw Access Denied error and works seamlessly.

 

 

 

 

 

9 REPLIES 9

rushikeshvartak
All-Star
All-Star

Object name is users 

select a from Users a where a.id= ${users?.id}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak ,

This issue is not with this:

Object name is users  or user
It works with both for the query: 
select a from Users a where a.id= ${users?.id}

The issue that we had is with another SAV ROLE i.e. ROLE_ENDUSER.
In this SAV ROLE, For whom can the user setup delegate should be filled with some values either ALL or the same query we are using in ROLE_MANAGER for this not to throw Access denied error.

Note: We tested this with few users who had ROLE_MANAGER and ROLE_ENDUSER sav role. And this is our findings.

Remove both feature and re add in role manager it will work


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak ,

I did multiple test for this. Re adding the feature, removing and adding all the feature access, even the API access too.
I even ran microservice job also after all the changes.

Looks like I have to give same query or any query in ROLE_ENDUSER if I want to use Query feature in ROLE_MANAGER where we are giving both sav roles to a user.

thats is not case. Its working in v23.6

rushikeshvartak_2-1706932899925.png

 

 

rushikeshvartak_1-1706932856384.png

 

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak ,

Can you try removing the query in ROLE_ENDUSER and provide both Sav ROLE (ENDUSER and MANAGER) and try to setup delegate by himself logging using the same user.
Note: ENDUSER doesn't have permission to setup delegate or any API access regarding delegation.

Since the above one is not working in 23.5. 

 

Its working as expected in 23.6 & 24.1 this seems version specific issue

and i have tested as you mentioned- if i remove condition all users are listed


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Manu269
All-Star
All-Star

validated in 23.8 and 23.11 its working as expected.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

h_sapkota
Regular Contributor
Regular Contributor

Thanks @Manu269 and @rushikeshvartak for the confirmation. For now I have the work around for 23.5 Version, But I will take this up with Saviynt.