Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

createrequest via the API for adding user to roles

navneetv
Regular Contributor II
Regular Contributor II

Hi Team,

I am encountering a 400 error unauthorized when attempting to call the API for adding a user to a role. However, I am able to successfully call other APIs. This is the first time I have used a role request. We have a use case where we need to add a user to Bulk AD groups via the API. I have created a role and added all the necessary groups. I expected this to generate the ADD Access for entitlement for the requestable user.

navneetv_0-1713890202775.png

 

OTHER API call is working. 

navneetv_1-1713890248275.png

 

 

17 REPLIES 17

PremMahadikar
All-Star
All-Star

Hi @navneetv ,

Requesting/provisioning experience will be same for both UI and API. It will for sure generate add access for entitlement.

I believe you have added necessary access permission to make this API call.  Rest I can only think of other permission to request role.

Please check all the below are configured:

  1. Make sure the created role has atleast one entitlement assigned 
  2. If there is role filter query configured at Global Configurations->Role Request, please remove it
  3. Workflow is defined in global configuration (Under global config - Roles)PremMahadikar_0-1713895047085.png

     

  4. Role is set 'True' for requestablePremMahadikar_1-1713895167723.png

Note: You can also cross verify requesting from UI

 

If you find the above response useful, Kindly Mark it as Accept As Solution and hit Kudos

rushikeshvartak
All-Star
All-Star

Please check show All in ROLE_ADMIN is defined as All Roles

 

rushikeshvartak_0-1713928383659.png

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

navneetv
Regular Contributor II
Regular Contributor II

@rushikeshvartak what exactly this option or function does? if i select all in show roles 

@navneetv ,

PremMahadikar_0-1713940673733.png

I don't think this would help here. 

Did you check all the above configurations mentioned? We are using createrequest API for adding user to the role from long time in PROD (live currently), we haven't faced any issue.

If you find the above response useful, Kindly Mark it as Accept As Solution and hit Kudos

navneetv
Regular Contributor II
Regular Contributor II

@PremMahadikar  I checked after making the changes to the global configuration along with the requestable role marked true, but I am still encountering the same error. How can I confirm if the permissions are properly set up for my account? I can generate the Add task with the entitlement request, but when I attempt to call the role request API, I receive a 400 error.

navneetv_3-1713942323646.png

 

 

navneetv_5-1713942498744.png

 

 

 

 

navneetv_1-1713941770717.png

 

@navneetv ,

Few more checks:

  1. Did you try requesting role from UI? (If its errored, can you pass logs when you do this?)
  2. Endpoint on add user to role as v5? https://ssm-XYZ.saviyntcloud.com/ECM/api/v5/createrequest
  3. SAV role web service accessPremMahadikar_0-1713944403118.png

 

navneetv
Regular Contributor II
Regular Contributor II

Hi @PremMahadikar  @rushikeshvartak 

I would like to know if I can use the roles feature to add an Active Directory account to multiple AD groups through an API call. This is my first time using the roles feature, so I'm not sure if it can accomplish my use case

I tried using the GUI and the request was auto-approved as expected. However, the Add access task was not generated for AD.

 

navneetv_0-1713960345046.png

 

You can add

  • task not generated - please check request option is none(create task) under endpoint. - ent type

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

navneetv
Regular Contributor II
Regular Contributor II

@rushikeshvartak  table is already selected in request-option in eNT TYPE

 

navneetv_0-1713966027779.png

 

Is there any existing tasks open ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

navneetv
Regular Contributor II
Regular Contributor II

Nothing task was generated for the user.  

navneetv
Regular Contributor II
Regular Contributor II

@rushikeshvartak Nothing task was generated for the user. I configured the role. Is there any additional step that needs to be performed to activate the role requestable?

navneetv_0-1714023386368.png

 

Enterprise role should not be tagged to endpoint


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

navneetv
Regular Contributor II
Regular Contributor II

@PremMahadikar  All permissions look good. I have the sav_admin role and I am able to generate the add task for entitlement, but it failed for the role.

navneetv
Regular Contributor II
Regular Contributor II

@rushikeshvartak Is there any way to add users to a bulk Active Directory (AD) group using an API request?

I thought, we could use roles, and roles can be requested via the API. Add access Tasks would be granted for groups that are added to the role.

Use multi user bulk file upload for roles / entitlement


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

navneetv
Regular Contributor II
Regular Contributor II

@rushikeshvartak 

We are using the FreshService workflow to send an API call to Saviynt as per the FS request. If there is a request to add users to all 6 groups based on their department, we need to make one API call to Saviynt to add the users to the bulk AD group.
We can use the ENETIELEMT request to add all entitlements in a single body, but since we have many bulk groups that need to be added based on department, using the ENETLEMENT request will require handling lots of logic and API calls in the FS workflow, which can cause performance issue of workflow.

Therefore, I was looking for a role-based solution where they can send one call and generate the add access for AD groups, which are added to role