Saviynt Forums

Where is this screenshot from?

Click on help section once you open workflow wiring

Share variables fromhelp section 

entitlement.entitlementtypekey.entitlementname == 'XYZ'

this is correct variable for parllel workflow 

https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components 

This is why I'm so frustrated because the documentation seems to show this is simple, but it is not working at all. I'm going to end up having to use custom property evaluation to do this and it will be a manual task to make sure the cp's are populated correctly.

I believe it errors out because 'Roles' do not have an entitlementtypekey property.

Try this

entitlementslist.get(requestaccesskey).entitlementtypekey.entitlementname == 'Public Groups'

I assumed "Public Groups" is the name of the entitlement type of entitlements not applications role. If not then replace that with name of the entitlement type of entitlements. If it matches then route it to your entitlements logic

Yes, "Public Groups" is a simple entitlement type. The issue is that the endpoint also contains application roles. When those are requested, we get this error in the logs and the request is not submitted:

Error [22;39mjavax.el.PropertyNotFoundException: Property [entitlementtypekey] not found on type [com.saviynt.ecm.identitywarehouse.domain.Roles]

That is when using a simple condition in workflow:

Start > Enter Condition to make sure there actually is an owner specified for the requested entitlement:

(entitlement.ownerRank1 == null) or
(entitlement.ownerRank1.size() == 0)

If false, check to see if 'Public Groups' entitlement. Another condition:

entitlement.entitlementtypekey.entitlementname == 'Public Groups'

Workflow errors out.

Then I would suggest after start first check whether request is submitted for regualar entitlement or application role using below condition in if-else with language as groovy, Here 7 means application role, in case if you want to check if request is submitted for regular entitlement then you can change the value 2.

com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype == 7

After identifying which type of access is being requested then you can route the WF to respective logic.

Example if request is submitted for regular entitlement then you want to check if entitlement has owner or not and then send approval to owner if exists or auto approve if not.

Hi @sk,

So 2 is for Individual entitlement, 7 is for Application role. What is value we can use for Enterprise Role ?

Thanks

This is exactly what I needed and it is working. Thank you!

Hi @BrandonLucas_BF ,

I have tried to create WF as having same requirement but the condition is not working as expected. It means when we are using above given expression as groovy type in IF ELSE block. Now when I try to submit request for Individual entitlement it goes to FALSE part, also if tried for Application/Enterprise Role which still goes to FALSE part of if else block. 

-Here control is not passing to TRUE section whether request is for Individual Entitlement OR Application/Enterprise Role. We have two separate logic- 1. for Individual Entitlement and  2. For Application/Enterprise Role

Could you please try to share the screen shot of workflow you created. Also our product version is 23.1 so let me know if its okay ?

Thanks,

Amit Aware

Yes, no problem. Here is the logic we used. FYI - we are on v23.2 but this also worked on 2020.1.

For us the requirement is: first, is there an owner for the request? If not, go ahead and grant access. If there is, then do a second check to ensure it is a individual entitlement and not anything else like a role (which have owners but don't need approvals). Thus if it is an entitlement and has an owner, send for approval.

BTW - the access types are listed here now. I'm not sure if they were there when this conversation was first posted: https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter12-Workflows/Workflow-Compon...

Hi @BrandonLucas_BF ,

Thanks for the valuable information.

Actually what is happening here is that, with expression - "
(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 7" it is working fine when we are requesting single user at a time via "Request Access For Others" section in ARS for Application Role request. But same expression if we use with 'Request Access for Others-Multi User' in ARS then no request is generating when we are requesting access for Application Role for multiple users.

Please help us to understand that why value 7 is working for Application Role request via "Request Access For Others" but not for Multi user Application Role Request ?

Also, please confirm if we have to use expression -"(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 1" for Enterprise Role ?

Thanks,

Amit Aware

You may be touching on a different bug with regards to your question about multi user request submitting and not showing up in history. Tell me: when testing this process is the entitlement type being requested restricted by using an access query at the endpoint entitlement type level?

Hi @BrandonLucas_BF ,

I could see the below in access query section at endpoint level for which we are raising requests-

"where users.userkey in (select us.userkey from savroles sv join user_savroles us on sv.rolekey=us.rolekey where sv.rolename in ('ROLE_ADMIN','ROLE_UAMTEAM'))"

Does it stopping the request flow while submitting request for Application Role? please share your thoughts.

Note- Here the requestor is having ROLE_ADMIN role which is satisfying the above condition.

Thanks,

Amit Aware

This sounds very similar to a bug our organization has reported with multi-user access request not working when submitting a multi-user request for an entitlement for which the entitlement type has an access query defined. We opened ticket #1457972 on this issue and it is still open with engineering waiting on a fix. I suggest opening a case and referencing this ticket # for comparison and analysis.

Impossible to say if your issue is exactly like ours without looking in your logs. I will tell you more about our issue as reported in our ticket. Our front-end behavior is the same I think. When the request is submitted for multi-user, we receive successful submission message but it never enters request history. In the logs we consistently find an error like the following. You should check if you have the same. Even though we are *not* doing any type of CSV upload during this request, there appears to be some mechanism behind the scenes that uses the same CSV-dependent code-base for GUI-driven and import-based multi-user request:

Here is how we have set our access queries on the entitlement type in question:

The only workaround we have is to remove the access query. Very interested in what you find for similarity.

Hi @BrandonLucas_BF ,

We have below access query and not where you mentioned above-

The query for which you have share screenshot is as below in our case-

Note- In our case it is okay when we are requesting Enterprise Role requests Or Individual entitlement requests. We are facing issue with only application role. Means when we are requesting for Application role in bulk there is no request generated. And the strange thing is if we are requesting Application role for single user in ARS (i.e. not in a multi user flow) then request is generating for expression-(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 7

Thanks,

Amit Aware

It is possible that endpoint access query causes a similar issue as entitlement type access query. Do you see anything in the logs when submitting the multi-user request? In my experience I've gotten good logs around this type of issue. If it is a workflow issue you should see some type of error around when the workflow is starting in the logs, but if it is related to the access query you'll likely see an error similar to what I mentioned above.

Does multi-user request work without the workflow in place? 

@BrandonLucas_BF -

There is no any access query defined in security system, Endpoint Or at Global config level. Also, I have tried to remove the workflow and with AutoApproval we still wont be able to see request is generated for Application Role requests via Multi User tile.

Is it a Saviynt's limitation as it is failing to detect Application Role though Multi User tile. Because it is working fine if we submit a request for single user via 'Request Access For Others' section.

Also we could not see any logs related to Application Role request submission.

Thanks,

Amit Aware

Did you get clarity on if this is supported? I don't have the answer.