Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Emergency Access ID request

shivmano
Regular Contributor III
Regular Contributor III

Hi Team - 

We are trying to request for emergency access ID for SAP application and we have added the below configurations for this. But still when I go to 'Request Emergency Access ID' or 'Request access for others' I do not see any of the firefighter IDs to request. We have multiple firefighter IDs that are active and exists under the SAP endpoint with account type - S

1) Added the Emergency Access ID Request Workflow and Emergency Access ID Access Request Workflow at the security system

2) Added the below config at the SAP connection type:

{
"ffidoptions": ["requestinstanceaccess","requestaccessforothers","managesessions"],
"step1columns": ["firefighterid","endpoint","description","validfrom","validto"]}

shivmano_0-1715269312042.pngshivmano_1-1715269371600.png

Please can someone let us know if there is anything else that needs to be done ?

Thank you

 

8 REPLIES 8

rushikeshvartak
All-Star
All-Star

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

shivmano
Regular Contributor III
Regular Contributor III

@rushikeshvartak , thank you for the response. Below is what I am seeing in the logs, when I am selecting the 'Request Emergency access ID' option from the tile. But the account type for the FFIDs coming from SAP is Accounttype: S 

2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-params = [prev:, connectiontype:SAP, hidetabrole:1, firefighterrole:firefighter, _:1715317384622, controller:firefighter, action:ffidaccessjson, id:19459, jsontype:datatable, iDisplayLength:15000, iDisplayStart:0]
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-ffidfinalQry = Select new Map(a.id as id , ffidusers as ffiduser) from Accounts a , Ffid_Users ffidusers where a.id = ffidusers.ffAccountKey and a.accounttype =:accounttype and ( a.status=:activeStatus or a.status = :provisionStatus) and a.endpointkey.status=1 and ffidusers.startDate < :date and ffidusers.endDate > :date and ffidusers.userKey = :userkey and ffidusers.status<>-1
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-firefighteraccountquery = Select a from Accounts a where a.accounttype =:accounttype and ( a.status=:activeStatus or a.status = :provisionStatus) and a.endpointkey.status=1 and a.endpointkey.securitysystemkey.externalConnection.externalconnectiontype.connectiontype='SAP' and (a.endpointkey.securitysystemkey.firefighteridWorkflow is not null or a.endpointkey.securitysystemkey.firefighteridRequestAccessWorkflow is not null)
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-countQuery = Select count(*) from Accounts a where a.accounttype =:accounttype and ( a.status=:activeStatus or a.status = :provisionStatus) and a.endpointkey.status=1 and a.endpointkey.securitysystemkey.externalConnection.externalconnectiontype.connectiontype='SAP' and (a.endpointkey.securitysystemkey.firefighteridWorkflow is not null or a.endpointkey.securitysystemkey.firefighteridRequestAccessWorkflow is not null)
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-queryparams1 [activeStatus:1, provisionStatus:Manually Provisioned, accounttype:FIREFIGHTERID]
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-queryparams2 [activeStatus:1, provisionStatus:Manually Provisioned, offset:0, max:15000, accounttype:FIREFIGHTERID]
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-Query executed

shivmano
Regular Contributor III
Regular Contributor III

@rushikeshvartak , If I manually change the accounttype for the FF account to FIREFIGHTERID, then I can see it under the option. So do we need to update the accounttype from A or S to FIREFIGHTERID for these FFIDs after every import from SAP? 

Also, Can you please help with the below information about emergency access ID requests as the documentation is not very helpful regarding the topic 

1) After submitting access to FFID, how can I validate on EIC That the access is added? Because I submitted the request and can see the request is completed but do not see any task created 

2) The Manage sessions is not showing the access that was granted to FFID either, how and when can I see the existing sessions here? 

1) After submitting access to FFID, how can I validate on EIC That the access is added? Because I submitted the request and can see the request is completed but do not see any task created  --> Did you ran / scheduled Create Tasks for Future Ent Role Requests (EnterpriseRoleManagementJob) Job

2) The Manage sessions is not showing the access that was granted to FFID either, how and when can I see the existing sessions here?  --> Check Account Type or view existing access tile.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

shivmano
Regular Contributor III
Regular Contributor III

@rushikeshvartak , Yes I have run the EnterpriseRoleManagementJob but no tasks are created. Please can you help me understand the below observations I have

1) I currently do not have any configuration added in the FIREFIGHTERID_GRANT_ACCESS_JSON and FIREFIGHTERID_REVOKE_ACCESS_JSON. Is this required for the task to be created for FFID request?

2) I see the FFID access request consists of 2 steps.

1st - Go to 'Request Emergency Access ID' > Select FFID (Clicking on 'Make ID Requestable') > submit the request > This creates a 'Emergency Access ID Assignment' request > after approval run the EnterpriseRoleManagementJob > No task is created and do not see User Type change in SAP for the requested Dialog user or under view existing acess

shivmano_1-1715588186703.png

2nd - Go to 'Request Emergency Access ID' > Select FFID (Clicking on 'Checkout Sessions' next to the FFID) > Select T-CODE in next step > Submit request > This creates 'Privilege ID Request' > after approval run the EnterpriseRoleManagementJob > No task is created and do not see User Type change in SAP for the requested Dialog user or under view existing acess

shivmano_0-1715588157848.png

After 2nd step, I can however see the session info under Request Emergency Access ID > Manage Sessions 

shivmano_2-1715588307840.png

Please can you let me know what is the significance of both these requests? and which workflow is applicable for each of them? Currently I have both 'Emergency Access ID Request Workflow' and 'Emergency Access ID Access Request Workflow' with autoapproval set at the security system

Thank you

shivmano
Regular Contributor III
Regular Contributor III

@rushikeshvartak , just adding to this - I see that the tasks are created ~15 minutes after the request is approved for 'Privilege ID Request' even though I am manually running the EnterpriseRoleManagementJob. and when I then run the provisioning job, below error is seen in logs

java.lang.NullPointerException: Cannot invoke method equalsIgnoreCase() on null object at com.saviynt.provisoning.SapProvisioningService$_grantFFIDAccessSAP_closure27.doCall(SapProvisioningService.groovy:4770) at com.saviynt.provisoning.SapProvisioningService.grantFFIDAccessSAP(SapProvisioningService.groovy:4749) at com.saviynt.ecm.services.ArsTaskService.provisionFFIDAccessTarget(ArsTaskService.groovy:17439) at com.saviynt.ecm.services.ArsTaskService$_provisionFFIDAccess_closure207.doCall(ArsTaskService.groovy:17114) at com.saviynt.ecm.services.ArsTaskService.provisionFFIDAccess(ArsTaskService.groovy:17103) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:241) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)

Did you added JSON on connection ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

shivmano
Regular Contributor III
Regular Contributor III

Yes, I Have added the FIREFIGHTERID_GRANT_ACCESS_JSON  as advised in below documentation

https://docs.saviyntcloud.com/bundle/SAP-v24x/page/Content/Configuring-the-Integration-for-Provision...