Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/13/2022 11:52 AM
I have a workflow requirement for an endpoint that includes entitlement types that include both individual entitlements as well as Saviynt application roles. Some of the entitlements have owners but most do not. Almost all of the roles have role owners.
Our first requirement is to route requests for individual entitlements to approvers when an owner is specified. I implemented this requirement with the following IF-ELSE block:
If there is no Rank1 owner, bypass the approval request.
However, this is routing requests for approval when they are for Application Roles also. How can I first detect whether or not the request is for an individual entitlement or an application role before sending it to the IF-ELSE block above?
It is not clear what in this article would accomplish this. I've tried many options and nothing works:
https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components
Solved! Go to Solution.
10/25/2022 01:36 PM
use entitlementtype object
11/14/2022 12:28 PM
Where is this screenshot from?
11/15/2022 12:43 PM
I have tried using the following and it doesn't seem to work:
When submitting requests with this workflow active, the request never enters request history.
11/15/2022 05:26 PM
Click on help section once you open workflow wiring
12/09/2022 02:08 PM
Sorry so slow to return to this thread.. keep working on this issue as I have time. Unfortunately, this is still not working for me.
When testing this, we end up with an error in logs like this:
2022-12-09 21:13:05,469 [quartzScheduler_Worker-2] DEBUG println.PrintlnToLogger - Println :: [1;31m| Error [22;39mjavax.el.PropertyNotFoundException: Property [entitlementtypekey] not found on type [com.saviynt.ecm.identitywarehouse.domain.Roles] [m
2022-12-09 21:13:05,469 [quartzScheduler_Worker-2] DEBUG println.PrintlnToLogger - Println :: [1;31m| Error [22;39m at javax.el.BeanELResolver$BeanProperties.get(BeanELResolver.java:260) [m
2022-12-09 21:13:05,469 [quartzScheduler_Worker-2] DEBUG println.PrintlnToLogger - Println :: [1;31m|
12/09/2022 02:09 PM
Share variables fromhelp section
12/09/2022 02:12 PM
entitlement.entitlementtypekey.entitlementname == 'XYZ'
this is correct variable for parllel workflow
https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components
12/09/2022 02:23 PM
This is why I'm so frustrated because the documentation seems to show this is simple, but it is not working at all. I'm going to end up having to use custom property evaluation to do this and it will be a manual task to make sure the cp's are populated correctly.
12/09/2022 02:31 PM
I believe it errors out because 'Roles' do not have an entitlementtypekey property.
12/09/2022 02:40 PM
Try this
entitlementslist.get(requestaccesskey).entitlementtypekey.entitlementname == 'Public Groups'
12/09/2022 03:44 PM
I assumed "Public Groups" is the name of the entitlement type of entitlements not applications role. If not then replace that with name of the entitlement type of entitlements. If it matches then route it to your entitlements logic
12/12/2022 06:32 AM
Yes, "Public Groups" is a simple entitlement type. The issue is that the endpoint also contains application roles. When those are requested, we get this error in the logs and the request is not submitted:
Error [22;39mjavax.el.PropertyNotFoundException: Property [entitlementtypekey] not found on type [com.saviynt.ecm.identitywarehouse.domain.Roles]
That is when using a simple condition in workflow:
Start > Enter Condition to make sure there actually is an owner specified for the requested entitlement:
(entitlement.ownerRank1 == null) or
(entitlement.ownerRank1.size() == 0)
If false, check to see if 'Public Groups' entitlement. Another condition:
entitlement.entitlementtypekey.entitlementname == 'Public Groups'
Workflow errors out.
12/12/2022 06:44 AM
Then I would suggest after start first check whether request is submitted for regualar entitlement or application role using below condition in if-else with language as groovy, Here 7 means application role, in case if you want to check if request is submitted for regular entitlement then you can change the value 2.
com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype == 7
After identifying which type of access is being requested then you can route the WF to respective logic.
Example if request is submitted for regular entitlement then you want to check if entitlement has owner or not and then send approval to owner if exists or auto approve if not.
04/11/2023 05:35 AM
Hi @Saathvik,
So 2 is for Individual entitlement, 7 is for Application role. What is value we can use for Enterprise Role ?
Thanks
12/09/2022 03:53 PM
In case if you want to check request is submitted for Application roles then try this condition
com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype == 7 in if else block with language as groovy
12/12/2022 08:47 AM
This is exactly what I needed and it is working. Thank you!
04/12/2023 10:06 PM
Hi @BrandonLucas_BF ,
I have tried to create WF as having same requirement but the condition is not working as expected. It means when we are using above given expression as groovy type in IF ELSE block. Now when I try to submit request for Individual entitlement it goes to FALSE part, also if tried for Application/Enterprise Role which still goes to FALSE part of if else block.
-Here control is not passing to TRUE section whether request is for Individual Entitlement OR Application/Enterprise Role. We have two separate logic- 1. for Individual Entitlement and 2. For Application/Enterprise Role
Could you please try to share the screen shot of workflow you created. Also our product version is 23.1 so let me know if its okay ?
Thanks,
Amit Aware
04/13/2023 06:09 AM
Yes, no problem. Here is the logic we used. FYI - we are on v23.2 but this also worked on 2020.1.
For us the requirement is: first, is there an owner for the request? If not, go ahead and grant access. If there is, then do a second check to ensure it is a individual entitlement and not anything else like a role (which have owners but don't need approvals). Thus if it is an entitlement and has an owner, send for approval.
BTW - the access types are listed here now. I'm not sure if they were there when this conversation was first posted: https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter12-Workflows/Workflow-Compon...
04/13/2023 10:21 AM
Hi @BrandonLucas_BF ,
Thanks for the valuable information.
Actually what is happening here is that, with expression - "
(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 7" it is working fine when we are requesting single user at a time via "Request Access For Others" section in ARS for Application Role request. But same expression if we use with 'Request Access for Others-Multi User' in ARS then no request is generating when we are requesting access for Application Role for multiple users.
Please help us to understand that why value 7 is working for Application Role request via "Request Access For Others" but not for Multi user Application Role Request ?
Also, please confirm if we have to use expression -"(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 1" for Enterprise Role ?
Thanks,
Amit Aware
04/13/2023 11:20 AM
You may be touching on a different bug with regards to your question about multi user request submitting and not showing up in history. Tell me: when testing this process is the entitlement type being requested restricted by using an access query at the endpoint entitlement type level?
04/13/2023 11:12 PM
Hi @BrandonLucas_BF ,
I could see the below in access query section at endpoint level for which we are raising requests-
"where users.userkey in (select us.userkey from savroles sv join user_savroles us on sv.rolekey=us.rolekey where sv.rolename in ('ROLE_ADMIN','ROLE_UAMTEAM'))"
Does it stopping the request flow while submitting request for Application Role? please share your thoughts.
Note- Here the requestor is having ROLE_ADMIN role which is satisfying the above condition.
Thanks,
Amit Aware
04/14/2023 07:12 AM
This sounds very similar to a bug our organization has reported with multi-user access request not working when submitting a multi-user request for an entitlement for which the entitlement type has an access query defined. We opened ticket #1457972 on this issue and it is still open with engineering waiting on a fix. I suggest opening a case and referencing this ticket # for comparison and analysis.
Impossible to say if your issue is exactly like ours without looking in your logs. I will tell you more about our issue as reported in our ticket. Our front-end behavior is the same I think. When the request is submitted for multi-user, we receive successful submission message but it never enters request history. In the logs we consistently find an error like the following. You should check if you have the same. Even though we are *not* doing any type of CSV upload during this request, there appears to be some mechanism behind the scenes that uses the same CSV-dependent code-base for GUI-driven and import-based multi-user request:
Here is how we have set our access queries on the entitlement type in question:
The only workaround we have is to remove the access query. Very interested in what you find for similarity.
04/16/2023 11:40 PM
Hi @BrandonLucas_BF ,
We have below access query and not where you mentioned above-
The query for which you have share screenshot is as below in our case-
Note- In our case it is okay when we are requesting Enterprise Role requests Or Individual entitlement requests. We are facing issue with only application role. Means when we are requesting for Application role in bulk there is no request generated. And the strange thing is if we are requesting Application role for single user in ARS (i.e. not in a multi user flow) then request is generating for expression-(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 7
Thanks,
Amit Aware
04/17/2023 05:52 AM - edited 04/17/2023 05:52 AM
It is possible that endpoint access query causes a similar issue as entitlement type access query. Do you see anything in the logs when submitting the multi-user request? In my experience I've gotten good logs around this type of issue. If it is a workflow issue you should see some type of error around when the workflow is starting in the logs, but if it is related to the access query you'll likely see an error similar to what I mentioned above.
Does multi-user request work without the workflow in place?
04/26/2023 02:16 AM
There is no any access query defined in security system, Endpoint Or at Global config level. Also, I have tried to remove the workflow and with AutoApproval we still wont be able to see request is generated for Application Role requests via Multi User tile.
Is it a Saviynt's limitation as it is failing to detect Application Role though Multi User tile. Because it is working fine if we submit a request for single user via 'Request Access For Others' section.
Also we could not see any logs related to Application Role request submission.
Thanks,
Amit Aware
08/24/2023 12:53 PM
Did you get clarity on if this is supported? I don't have the answer.
12/09/2022 02:10 PM
I believe it is the same as you indicated you saw. I found the reference:
Saviynt Supported Variables: Variables and ExpressionVariables Description Expression
ars_requests | ARS_Requests Object can use for any Attribute of ARS_Requests | {ars_requests} |
RequestedBy | Long type Attribute use for requestor ID (ARS_Requests) | {RequestedBy} |
requestedby | Users Object as requestedby | {requestedby.username} {requestedby.firstname} |
requestedon | Date Type Attribute use for request date (ARS_Requests) | {requestedon} |
requestduedate | Date Type Attribute use for request due date (ARS_Requests) | {requestduedate} |
reqid | Long Type Attribute use for request id (ARS_Requests) | {reqid} |
requestcounts | Request Access count Map | {requestcounts.NEW_ACC_REQUESTS_COUNT > 0} {requestcounts.MODIFY_ACC_REQUESTS_COUNT > 0} {requestcounts.DELETE_ACC_REQUESTS_COUNT > 0} {requestcounts.ADD_ACCESS_REQUESTS_COUNT > 0} {requestcounts.REMOVE_ACCESS_REQUESTS_COUNT > 0} |
RequestedFor | Users Object as RequestedFor | {RequestedFor.firstname} {RequestedFor.lastname} |
user | Users Object as user | {user.firstname} {user.lastname} |
manager | Manager object Use to get manager Attributes | {manager.firstname} {manager.lastname} |
accounts | Accounts object as accounts | {accounts.customproperty1} {accounts.customproperty2} |
securitysystem | Map of Security System in request_access | {securitysystem.get(request_access.id)} |
entitlement | Entitlement Object as entitlement | {entitlement.customproperty15 == 'ABC'} {entitlement.getOwnerRank2().size() eq 0} |
ENTJSON | Json String Of All Entitlement Object | {ENTJSON.contains('123')} |
endpoints | Map of Endpoints in request_access | {endpoints.get(request_access.id)} |
dynamicAttributes | Dynamic Attribute | {((dynamicAttributes.get('customproperty30') ne null)} {(dynamicAttributes.get('customproperty30') eq 'Yes'))} |
totalsapaccounts | Count of SAP Accounts belong to the user | {totalsapaccounts == 0} {totalsapaccounts > 2} |
SODViolation | Map of Sod Risk | {SODViolation.get('High') > 0} {SODViolation.get('low') > 0} |
JRMViolation | JRM Violation List | {(entitlement != null and JRMViolation.contains(entitlement.id))} |
SOD | Count Of SOD | {SOD == 0} {SOD > 2} |
SOXCRITICALCOUNT | Int type Attribute Use for count of SoxCritical (Entitlement) | {SOXCRITICALCOUNT>0} |
SYSCRITICALCOUNT | Int type Attribute use for count of SysCritical (Entitlement) | {SYSCRITICALCOUNT>0} |
requiredrequestornot | String Type Use for entitlementtypekey.requiredinrequest (entitlementtype) | {requiredinrequest == "TRUE"} |
entitlementslist | Map of Entitlement/Role - map(request_access.id, entitlement_values) | {entitlementslist.get(123)} |
roleownerslist | List Of All Role_Owners | {roleownerslist.get(Role_Owners)} |
RequestAccessKeys | List of request access IDs (Long) | {RequestAccessKeys.get(request_access.id)} |
requestaccesskey | String type variable use for request access IDs | {requestaccesskey.contains('123')} |
quorum | String type Attribute use to show count of request access | {quorum} |
ffidpreapprovedmap | Pre Aprroved map FFID (Ffid_Users) (request_access.id,'TRUE') | {ffidpreapprovedmap.get(request_access.id)} |
Saviynt Supported Variables: following objects to be used in the workflowObject NameExampleElevated Entitlements: {entitlement.soxcritical}>0Total Entitlement Owner size (Number) {entitlement.entowners.size()}Total Entitlement Owner (List) {entitlement.allowner} or {entitlement.entownersEntitlement Owner with Rank 1 to 5 entitlement.ownerRank1 - entitlement.ownerRank5Sod Risk (Map) {(SODViolation.get('High')!=null and SODViolation.get('High') > 0)} for High Risk Priority. Risk can be - Critical, High, Medium, LowJrm Violation (List) {(entitlement != null and JRMViolation.contains(entitlement.id))}Refer to the Database schema guide for the fields available within each objectEntitlement variable is not Supported By Serial Workflow
please Note if you will use in If condition block it will not give any Error but always goes to Else Block
Security System | securitysystem |
Endpoint | endpoints |
Accounts | accounts |
Requested Accounts Type | accounttype |
Entitlement/Role | entitlement |
Requestor | requestedby |
Users | manager ,user |
Json String Of All Enitlement Object | ENTJSON |
06/13/2023 07:49 AM
Any ideas how can I use endpoint owner as requestor in if else condition?