10/10/2022 11:27 AM
Saviynt provides example json syntax for granting entitlements using GrantAccessJSON:
{
"ENTITLEMENT_TYPE1" : [
"INSERT INTO
USER_SAVROLES(USERKEY,ROLEKEY) VALUES(${user.id},1)" ,
" call
testproc()"
],
"ENTITLEMENT_TYPE2" : [
"sdfds"
]
}
)
Using this as a guide, I am able to grant users an entitlement associated with the entitlement type I specify in the beginning of the statement. This works as long as there is only one entitlement associated with the entitlement type. However, I would like to associate multiple entitlements with the same entitlement type and each one requires a different action to be performed on the DB.
Are there any examples out there I can leverage that can show me how I can accomplish this?
Solved! Go to Solution.
10/10/2022 12:03 PM - edited 10/10/2022 12:07 PM
You can write your logic in if... else if .... else
{
"Role": [
"${if(task.entitlement_valueKey.entitlement_value!=null){'GRANT '+task.entitlement_valueKey.entitlement_value+' TO '+accountName+' '} else {'REVOKE '+task.entitlement_valueKey.entitlement_value+' TO '+accountName+''}}"
]
}
10/11/2022 06:56 AM
Hello @mtorres,
When you configure Saviynt4Saviynt, you end up with multiple entitlement types in the Grant Access or Revoke Access JSON. Here's a sample on how to use multiple entitlementTypes in a DB Connection.
{
"SAVRole":["Insert into user_savroles(USERKEY, ROLEKEY,UPDATEDATE,UPDATEUSER) VALUES (${user.id},(select rolekey from savroles where rolename= '${task.entitlement_valueKey.entitlement_value}'),utc_timestamp(),(select userkey from users where username = 'admin'))"],
"UserGroup":["Insert into usergroup_users(USERKEY,USER_GROUPKEY,UPDATEDATE,UPDATEUSER) VALUES (${user.id},(select USERGROUPKEY from user_groups where USER_GROUPNAME= '${task.entitlement_valueKey.entitlement_value}'),utc_timestamp(),(select userkey from users where username = 'admin'))"]
}
10/11/2022 07:50 AM
Thank you for the responses.
In my particular use case, I am performing database inserts on an external SQL database (Not Saviynt DB).
I have one entitlement type called Role for this particular endpoint. I also have multiple entitlements associated with the entitlement type. For example, lets say I have "Admin" and "Standard User".
Each entitlement requires that we insert different values into the DB. For example, if a user is granted the "Admin" entitlement, I will insert a value of 1 into column A. For "Standard User", a value of 2 with be inserted to column A instead.
Something like this worked with me when I only had the Admin entitlement associated with the Role type:
{
"Role": [
"INSERT INTO Testdatabase (columnA) VALUES (1)"
]
}
I'll need to add the insert logic for the "Standard User" entitlement but I don't know how to instruct Saviynt on which logic to use for each entitlement from a syntax perspective. If "Standard User" was associated with a completely different entitlement type (Role2), I could easily just add something like this but I want to avoid creating multiple entitlement types.
{
"Role": [
"INSERT INTO Testdatabase (columnA) VALUES (1)"
],
"Role2": [
"INSERT INTO Testdatabase (columnA) VALUES (2)"
]
}
10/11/2022 08:35 AM
{
"Role": [
"${if(task.entitlement_valueKey.entitlement_value.equalsIgnoreCase('Admin'){'GRANT '+task.entitlement_valueKey.entitlement_value+' TO '+accountName+' '} else if (task.entitlement_valueKey.entitlement_value.equalsIgnoreCase('Standard User') {'GRANT '+task.entitlement_valueKey.entitlement_value+' TO '+accountName+''}else {'REVOKE '+task.entitlement_valueKey.entitlement_value+' TO '+accountName+''}}"
]
}
10/11/2022 10:12 AM
Thank you Rushikesh.
I'll give this a shot.
I'm assuming I can work in the database insert or update commands within those statements as well
10/11/2022 10:28 AM
Yes You can