Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/22/2024 03:47 AM
Hi all,
We have a requirement to auto approve the enable and disable service account requests if the service account owner requests for it. Since the request page doesn't have any dynamic attributes for enable and disable request I am not able to fetch the owner detail in the workflow.
I was using the following groovy script in the if else block of the workflow to compare the requestor and the service account owner - (com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username ==(requestedby.username))
What other script can we use to compare the requestor and service account owner in the if else block?
Thanks.
Solved! Go to Solution.
05/22/2024 10:15 PM
As of today only owner can disable /enable service account except role admin. So validate if requestor have role_admin then auto reject.
05/23/2024 08:32 AM
Hey,
Thanks for the response.
There is one more requirement where when the admin requests on behalf of the service account owner, the request should go to the service account owner for approval. How can we achieve that?
05/23/2024 09:49 AM - edited 05/23/2024 09:50 AM
05/23/2024 09:57 AM
Hey Saathvik,
Thanks for your response. Do you know what script we can use to get the owner detail in the workflow block?
05/23/2024 10:11 AM
You can use custom query block
05/23/2024 01:07 PM
Hey,
I had to change the query mentioned in the topic as the attribute_name column does not contain the owner key for enable and disable requests. I am using the following query now which is giving me the correct result -
select owneruserkey from accountowners ao where FIND_IN_SET(ao.accountkey,(select distinct REPLACE(raa.attribute_value,'' '','''') from request_access_attrs raa , ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey=${ARSREQUEST.id} and raa.attribute_name=''ACCOUNTKEY''))!=0
However when I raise a request for disable account for an account having some other owner, the request goes for admins approval. I am not sure why that is happening. Could you please take a look, attaching my workflow below.
05/23/2024 09:14 PM
Share output of query
select distinct raa.* from request_access_attrs raa , ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey='11111'
05/24/2024 12:04 AM
Here you go :
05/24/2024 06:21 AM
@Yashh : You have mentioned service account but looking at query output it doesn't have the attributes it suppose to be. Can you please share the screenshots of how you are requesting service account? And how the page looks like?
Below is the screenshot how it looks like in our environment
05/24/2024 08:21 AM
Hey,
I am requesting for the disablement of service account that is why these attributes aren't showing up in the attribute_name of the table. Attaching screenshot for reference.
05/24/2024 06:39 AM
use below query in workflow
select distinct OWNERUSERKEY as userkey from request_access_attrs raa , ars_requests ar, request_access ra,accountowners ao WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY AND raa.attribute_name='ACCOUNTKEY' and raa.attribute_value=ao.accountkey and ar.requestkey=${ARSREQUEST.id}
05/24/2024 08:50 AM
Hey,
This worked. Thanks a lot!