Detect entitlement type in workflow IF-ELSE

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

I have a workflow requirement for an endpoint that includes entitlement types that include both individual entitlements as well as Saviynt application roles. Some of the entitlements have owners but most do not. Almost all of the roles have role owners.

Our first requirement is to route requests for individual entitlements to approvers when an owner is specified. I implemented this requirement with the following IF-ELSE block:

BrandonLucas_BF_0-1665687040741.png

If there is no Rank1 owner, bypass the approval request.

However, this is routing requests for approval when they are for Application Roles also. How can I first detect whether or not the request is for an individual entitlement or an application role before sending it to the IF-ELSE block above?

It is not clear what in this article would accomplish this. I've tried many options and nothing works:

https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components

 

 

 

28 REPLIES 28

rushikeshvartak
All-Star
All-Star

use entitlementtype object

rushikeshvartak_0-1666730201010.png

 


Regards,
Rushikesh Vartak
If the response is helpful, please click Accept As Solution and kudos it.

Where is this screenshot from?

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

I have tried using the following and it doesn't seem to work:

BrandonLucas_BF_0-1668543645917.png

When submitting requests with this workflow active, the request never enters request history.

Click on help section once you open workflow wiring


Regards,
Rushikesh Vartak
If the response is helpful, please click Accept As Solution and kudos it.

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Sorry so slow to return to this thread.. keep working on this issue as I have time. Unfortunately, this is still not working for me.

When testing this, we end up with an error in logs like this:

 

2022-12-09 21:13:05,469 [quartzScheduler_Worker-2] DEBUG println.PrintlnToLogger  - Println :: [1;31m| Error [22;39mjavax.el.PropertyNotFoundException: Property [entitlementtypekey] not found on type [com.saviynt.ecm.identitywarehouse.domain.Roles] [m
2022-12-09 21:13:05,469 [quartzScheduler_Worker-2] DEBUG println.PrintlnToLogger  - Println :: [1;31m| Error [22;39m at javax.el.BeanELResolver$BeanProperties.get(BeanELResolver.java:260) [m
2022-12-09 21:13:05,469 [quartzScheduler_Worker-2] DEBUG println.PrintlnToLogger  - Println :: [1;31m| 

Share variables fromhelp section 


Regards,
Rushikesh Vartak
If the response is helpful, please click Accept As Solution and kudos it.

entitlement.entitlementtypekey.entitlementname == 'XYZ'

this is correct variable for parllel workflow 

https://saviynt.freshdesk.com/support/solutions/articles/43000619101-workflow-components 


Regards,
Rushikesh Vartak
If the response is helpful, please click Accept As Solution and kudos it.

This is why I'm so frustrated because the documentation seems to show this is simple, but it is not working at all. I'm going to end up having to use custom property evaluation to do this and it will be a manual task to make sure the cp's are populated correctly.

I believe it errors out because 'Roles' do not have an entitlementtypekey property.

Try this

entitlementslist.get(requestaccesskey).entitlementtypekey.entitlementname == 'Public Groups'


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

I assumed "Public Groups" is the name of the entitlement type of entitlements not applications role. If not then replace that with name of the entitlement type of entitlements. If it matches then route it to your entitlements logic


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Yes, "Public Groups" is a simple entitlement type. The issue is that the endpoint also contains application roles. When those are requested, we get this error in the logs and the request is not submitted:

Error [22;39mjavax.el.PropertyNotFoundException: Property [entitlementtypekey] not found on type [com.saviynt.ecm.identitywarehouse.domain.Roles]

That is when using a simple condition in workflow:

Start > Enter Condition to make sure there actually is an owner specified for the requested entitlement:

(entitlement.ownerRank1 == null) or
(entitlement.ownerRank1.size() == 0)

If false, check to see if 'Public Groups' entitlement. Another condition:

entitlement.entitlementtypekey.entitlementname == 'Public Groups'

 

Workflow errors out.

 

BrandonLucas_BF_0-1670855483218.png

 

 

Then I would suggest after start first check whether request is submitted for regualar entitlement or application role using below condition in if-else with language as groovy, Here 7 means application role, in case if you want to check if request is submitted for regular entitlement then you can change the value 2.

com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype == 7

After identifying which type of access is being requested then you can route the WF to respective logic.

Example if request is submitted for regular entitlement then you want to check if entitlement has owner or not and then send approval to owner if exists or auto approve if not.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

SriRanga
Regular Contributor
Regular Contributor

Hi @sk,

So 2 is for Individual entitlement, 7 is for Application role. What is value we can use for Enterprise Role ?

Thanks

In case if you want to check request is submitted for Application roles then try this condition

com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype == 7 in if else block with language as groovy


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

This is exactly what I needed and it is working. Thank you!

Hi @BrandonLucas_BF ,

I have tried to create WF as having same requirement but the condition is not working as expected. It means when we are using above given expression as groovy type in IF ELSE block. Now when I try to submit request for Individual entitlement it goes to FALSE part, also if tried for Application/Enterprise Role which still goes to FALSE part of if else block. 

-Here control is not passing to TRUE section whether request is for Individual Entitlement OR Application/Enterprise Role. We have two separate logic- 1. for Individual Entitlement and  2. For Application/Enterprise Role

Could you please try to share the screen shot of workflow you created. Also our product version is 23.1 so let me know if its okay ?

 

Thanks,

Amit Aware

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Yes, no problem. Here is the logic we used. FYI - we are on v23.2 but this also worked on 2020.1.

For us the requirement is: first, is there an owner for the request? If not, go ahead and grant access. If there is, then do a second check to ensure it is a individual entitlement and not anything else like a role (which have owners but don't need approvals). Thus if it is an entitlement and has an owner, send for approval.

 

BTW - the access types are listed here now. I'm not sure if they were there when this conversation was first posted: https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter12-Workflows/Workflow-Compon...

 

BrandonLucas_BF_0-1681391337962.png

 

Hi @BrandonLucas_BF ,

Thanks for the valuable information.

Actually what is happening here is that, with expression - "
(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 7" it is working fine when we are requesting single user at a time via "Request Access For Others" section in ARS for Application Role request. But same expression if we use with 'Request Access for Others-Multi User' in ARS then no request is generating when we are requesting access for Application Role for multiple users.

Please help us to understand that why value 7 is working for Application Role request via "Request Access For Others" but not for Multi user Application Role Request ?

Also, please confirm if we have to use expression -"(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 1" for Enterprise Role ?

Thanks,

Amit Aware

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

You may be touching on a different bug with regards to your question about multi user request submitting and not showing up in history. Tell me: when testing this process is the entitlement type being requested restricted by using an access query at the endpoint entitlement type level?

Hi @BrandonLucas_BF ,

I could see the below in access query section at endpoint level for which we are raising requests-

"where users.userkey in (select us.userkey from savroles sv join user_savroles us on sv.rolekey=us.rolekey where sv.rolename in ('ROLE_ADMIN','ROLE_UAMTEAM'))"

Does it stopping the request flow while submitting request for Application Role? please share your thoughts.

Note- Here the requestor is having ROLE_ADMIN role which is satisfying the above condition.

Thanks,

Amit Aware

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

This sounds very similar to a bug our organization has reported with multi-user access request not working when submitting a multi-user request for an entitlement for which the entitlement type has an access query defined. We opened ticket #1457972 on this issue and it is still open with engineering waiting on a fix. I suggest opening a case and referencing this ticket # for comparison and analysis.

Impossible to say if your issue is exactly like ours without looking in your logs. I will tell you more about our issue as reported in our ticket. Our front-end behavior is the same I think. When the request is submitted for multi-user, we receive successful submission message but it never enters request history. In the logs we consistently find an error like the following. You should check if you have the same. Even though we are *not* doing any type of CSV upload during this request, there appears to be some mechanism behind the scenes that uses the same CSV-dependent code-base for GUI-driven and import-based multi-user request:

BrandonLucas_BF_0-1681481409262.png

 

Here is how we have set our access queries on the entitlement type in question:

 

BrandonLucas_BF_2-1681481447772.png

The only workaround we have is to remove the access query. Very interested in what you find for similarity.

Hi @BrandonLucas_BF ,

We have below access query and not where you mentioned above-

SriRanga_2-1681713625813.png

 

The query for which you have share screenshot is as below in our case-

SriRanga_0-1681712724629.png

 

Note- In our case it is okay when we are requesting Enterprise Role requests Or Individual entitlement requests. We are facing issue with only application role. Means when we are requesting for Application role in bulk there is no request generated. And the strange thing is if we are requesting Application role for single user in ARS (i.e. not in a multi user flow) then request is generating for expression-(com.saviynt.ecm.workflow.Request_Access.get(new Long(requestaccesskey))?.accesstype) == 7

 

Thanks,

Amit Aware

 

 

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

It is possible that endpoint access query causes a similar issue as entitlement type access query. Do you see anything in the logs when submitting the multi-user request? In my experience I've gotten good logs around this type of issue. If it is a workflow issue you should see some type of error around when the workflow is starting in the logs, but if it is related to the access query you'll likely see an error similar to what I mentioned above.

Does multi-user request work without the workflow in place? 

@BrandonLucas_BF -

There is no any access query defined in security system, Endpoint Or at Global config level. Also, I have tried to remove the workflow and with AutoApproval we still wont be able to see request is generated for Application Role requests via Multi User tile.

Is it a Saviynt's limitation as it is failing to detect Application Role though Multi User tile. Because it is working fine if we submit a request for single user via 'Request Access For Others' section.

 

Also we could not see any logs related to Application Role request submission.

Thanks,

Amit Aware

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Did you get clarity on if this is supported? I don't have the answer.

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

I believe it is the same as you indicated you saw. I found the reference:

Saviynt Supported Variables: Variables and ExpressionVariables Description Expression

ars_requestsARS_Requests Object can use for any Attribute of ARS_Requests{ars_requests}
RequestedByLong type Attribute use for requestor ID (ARS_Requests){RequestedBy}
requestedbyUsers Object as requestedby{requestedby.username}
{requestedby.firstname}
requestedonDate Type Attribute use for request date (ARS_Requests){requestedon}
requestduedateDate Type Attribute use for request due date (ARS_Requests){requestduedate}
reqidLong Type Attribute use for request id (ARS_Requests){reqid}
requestcountsRequest Access count Map{requestcounts.NEW_ACC_REQUESTS_COUNT > 0}
{requestcounts.MODIFY_ACC_REQUESTS_COUNT > 0}
{requestcounts.DELETE_ACC_REQUESTS_COUNT > 0}
{requestcounts.ADD_ACCESS_REQUESTS_COUNT > 0}
{requestcounts.REMOVE_ACCESS_REQUESTS_COUNT > 0}
RequestedForUsers Object as RequestedFor{RequestedFor.firstname}
{RequestedFor.lastname}
userUsers Object as user{user.firstname}
{user.lastname}
managerManager object Use to get manager Attributes{manager.firstname}
{manager.lastname}
accountsAccounts object as accounts{accounts.customproperty1}
{accounts.customproperty2}
securitysystemMap of Security System in request_access{securitysystem.get(request_access.id)}
entitlementEntitlement Object as entitlement{entitlement.customproperty15 == 'ABC'}
{entitlement.getOwnerRank2().size() eq 0}
ENTJSONJson String Of All Entitlement Object{ENTJSON.contains('123')}
endpointsMap of Endpoints in request_access{endpoints.get(request_access.id)}
dynamicAttributesDynamic Attribute{((dynamicAttributes.get('customproperty30') ne null)}
{(dynamicAttributes.get('customproperty30') eq 'Yes'))}
totalsapaccountsCount of SAP Accounts belong to the user{totalsapaccounts == 0} {totalsapaccounts > 2}
SODViolationMap of Sod Risk{SODViolation.get('High') > 0}
{SODViolation.get('low') > 0}
JRMViolationJRM Violation List{(entitlement != null and JRMViolation.contains(entitlement.id))}
SODCount Of SOD{SOD == 0}
{SOD > 2}
SOXCRITICALCOUNTInt type Attribute Use for count of SoxCritical (Entitlement){SOXCRITICALCOUNT>0}
SYSCRITICALCOUNTInt type Attribute use for count of SysCritical (Entitlement){SYSCRITICALCOUNT>0}
requiredrequestornotString Type Use for entitlementtypekey.requiredinrequest (entitlementtype){requiredinrequest == "TRUE"}
entitlementslistMap of Entitlement/Role - map(request_access.id, entitlement_values){entitlementslist.get(123)}
roleownerslistList Of All Role_Owners{roleownerslist.get(Role_Owners)}
RequestAccessKeysList of request access IDs (Long){RequestAccessKeys.get(request_access.id)}
requestaccesskeyString type variable use for request access IDs{requestaccesskey.contains('123')}
quorumString type Attribute use to show count of request access{quorum}
ffidpreapprovedmapPre Aprroved map FFID (Ffid_Users) (request_access.id,'TRUE'){ffidpreapprovedmap.get(request_access.id)}

Saviynt Supported Variables: following objects to be used in the workflowObject NameExampleElevated Entitlements: {entitlement.soxcritical}>0Total Entitlement Owner size (Number) {entitlement.entowners.size()}Total Entitlement Owner (List) {entitlement.allowner} or {entitlement.entownersEntitlement Owner with Rank 1 to 5 entitlement.ownerRank1 - entitlement.ownerRank5Sod Risk (Map) {(SODViolation.get('High')!=null and SODViolation.get('High') > 0)} for High Risk Priority. Risk can be - Critical, High, Medium, LowJrm Violation (List) {(entitlement != null and JRMViolation.contains(entitlement.id))}Refer to the Database schema guide for the fields available within each objectEntitlement variable is not Supported By Serial Workflow
please Note if you will use in If condition block it will not give any Error but always goes to Else Block

Security Systemsecuritysystem
Endpointendpoints
Accountsaccounts
Requested Accounts Typeaccounttype
Entitlement/Roleentitlement
Requestorrequestedby
Usersmanager ,user
Json String Of All Enitlement ObjectENTJSON

Naz_A
Regular Contributor
Regular Contributor

Any ideas how can I use endpoint owner as requestor in if else condition?