Saviynt Forums

shivmano · ‎05/09/2024

Hi Team -

We are trying to request for emergency access ID for SAP application and we have added the below configurations for this. But still when I go to 'Request Emergency Access ID' or 'Request access for others' I do not see any of the firefighter IDs to request. We have multiple firefighter IDs that are active and exists under the SAP endpoint with account type - S

1) Added the Emergency Access ID Request Workflow and Emergency Access ID Access Request Workflow at the security system

2) Added the below config at the SAP connection type:

{
"ffidoptions": ["requestinstanceaccess","requestaccessforothers","managesessions"],
"step1columns": ["firefighterid","endpoint","description","validfrom","validto"]}

Please can someone let us know if there is anything else that needs to be done ?

Thank you

rushikeshvartak · ‎05/09/2024

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

shivmano · ‎05/09/2024

@rushikeshvartak , thank you for the response. Below is what I am seeing in the logs, when I am selecting the 'Request Emergency access ID' option from the tile. But the account type for the FFIDs coming from SAP is Accounttype: S

2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-params = [prev:, connectiontype:SAP, hidetabrole:1, firefighterrole:firefighter, _:1715317384622, controller:firefighter, action:ffidaccessjson, id:19459, jsontype:datatable, iDisplayLength:15000, iDisplayStart:0]
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-ffidfinalQry = Select new Map(a.id as id , ffidusers as ffiduser) from Accounts a , Ffid_Users ffidusers where a.id = ffidusers.ffAccountKey and a.accounttype =:accounttype and ( a.status=:activeStatus or a.status = :provisionStatus) and a.endpointkey.status=1 and ffidusers.startDate < :date and ffidusers.endDate > :date and ffidusers.userKey = :userkey and ffidusers.status<>-1
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-firefighteraccountquery = Select a from Accounts a where a.accounttype =:accounttype and ( a.status=:activeStatus or a.status = :provisionStatus) and a.endpointkey.status=1 and a.endpointkey.securitysystemkey.externalConnection.externalconnectiontype.connectiontype='SAP' and (a.endpointkey.securitysystemkey.firefighteridWorkflow is not null or a.endpointkey.securitysystemkey.firefighteridRequestAccessWorkflow is not null)
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-countQuery = Select count(*) from Accounts a where a.accounttype =:accounttype and ( a.status=:activeStatus or a.status = :provisionStatus) and a.endpointkey.status=1 and a.endpointkey.securitysystemkey.externalConnection.externalconnectiontype.connectiontype='SAP' and (a.endpointkey.securitysystemkey.firefighteridWorkflow is not null or a.endpointkey.securitysystemkey.firefighteridRequestAccessWorkflow is not null)
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-queryparams1 [activeStatus:1, provisionStatus:Manually Provisioned, accounttype:FIREFIGHTERID]
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-queryparams2 [activeStatus:1, provisionStatus:Manually Provisioned, offset:0, max:15000, accounttype:FIREFIGHTERID]
2024-05-10T10:33:10+05:30-ecm-firefighter.FirefighterController-http-nio-8080-exec-79-ghgcz-DEBUG-Query executed

shivmano · ‎05/09/2024

@rushikeshvartak , If I manually change the accounttype for the FF account to FIREFIGHTERID, then I can see it under the option. So do we need to update the accounttype from A or S to FIREFIGHTERID for these FFIDs after every import from SAP?

Also, Can you please help with the below information about emergency access ID requests as the documentation is not very helpful regarding the topic

1) After submitting access to FFID, how can I validate on EIC That the access is added? Because I submitted the request and can see the request is completed but do not see any task created

2) The Manage sessions is not showing the access that was granted to FFID either, how and when can I see the existing sessions here?

rushikeshvartak · ‎05/12/2024

1) After submitting access to FFID, how can I validate on EIC That the access is added? Because I submitted the request and can see the request is completed but do not see any task created --> Did you ran / scheduled Create Tasks for Future Ent Role Requests (EnterpriseRoleManagementJob) Job

2) The Manage sessions is not showing the access that was granted to FFID either, how and when can I see the existing sessions here? --> Check Account Type or view existing access tile.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

shivmano · ‎05/13/2024

@rushikeshvartak , Yes I have run the EnterpriseRoleManagementJob but no tasks are created. Please can you help me understand the below observations I have

1) I currently do not have any configuration added in the FIREFIGHTERID_GRANT_ACCESS_JSON and FIREFIGHTERID_REVOKE_ACCESS_JSON. Is this required for the task to be created for FFID request?

2) I see the FFID access request consists of 2 steps.

1st - Go to 'Request Emergency Access ID' > Select FFID (Clicking on 'Make ID Requestable') > submit the request > This creates a 'Emergency Access ID Assignment' request > after approval run the EnterpriseRoleManagementJob > No task is created and do not see User Type change in SAP for the requested Dialog user or under view existing acess

2nd - Go to 'Request Emergency Access ID' > Select FFID (Clicking on 'Checkout Sessions' next to the FFID) > Select T-CODE in next step > Submit request > This creates 'Privilege ID Request' > after approval run the EnterpriseRoleManagementJob > No task is created and do not see User Type change in SAP for the requested Dialog user or under view existing acess

After 2nd step, I can however see the session info under Request Emergency Access ID > Manage Sessions

Please can you let me know what is the significance of both these requests? and which workflow is applicable for each of them? Currently I have both 'Emergency Access ID Request Workflow' and 'Emergency Access ID Access Request Workflow' with autoapproval set at the security system

Thank you

shivmano · ‎05/13/2024

@rushikeshvartak , just adding to this - I see that the tasks are created ~15 minutes after the request is approved for 'Privilege ID Request' even though I am manually running the EnterpriseRoleManagementJob. and when I then run the provisioning job, below error is seen in logs

java.lang.NullPointerException: Cannot invoke method equalsIgnoreCase() on null object at com.saviynt.provisoning.SapProvisioningService$_grantFFIDAccessSAP_closure27.doCall(SapProvisioningService.groovy:4770) at com.saviynt.provisoning.SapProvisioningService.grantFFIDAccessSAP(SapProvisioningService.groovy:4749) at com.saviynt.ecm.services.ArsTaskService.provisionFFIDAccessTarget(ArsTaskService.groovy:17439) at com.saviynt.ecm.services.ArsTaskService$_provisionFFIDAccess_closure207.doCall(ArsTaskService.groovy:17114) at com.saviynt.ecm.services.ArsTaskService.provisionFFIDAccess(ArsTaskService.groovy:17103) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:241) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)

rushikeshvartak · ‎05/13/2024

Did you added JSON on connection ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

shivmano · ‎05/13/2024

Yes, I Have added the FIREFIGHTERID_GRANT_ACCESS_JSON as advised in below documentation

https://docs.saviyntcloud.com/bundle/SAP-v24x/page/Content/Configuring-the-Integration-for-Provision...

Saviynt Forums

Emergency Access ID request