Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Enable/Disable Service Account Workflow

Yashh
New Contributor III
New Contributor III

Hi all,

We have a requirement to auto approve the enable and disable service account requests if the service account owner requests for it. Since the request page doesn't have any dynamic attributes for enable and disable request I am not able to fetch the owner detail in the workflow.

Yashh_0-1716374496676.png

I was using the following groovy script in the if else block of the workflow to compare the requestor and the service account owner - (com.saviynt.ecm.identitywarehouse.domain.Users.get(Long.valueOf(dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEY'))).username ==(requestedby.username))

What other script can we use to compare the requestor and service account owner in the if else block?

Thanks.

12 REPLIES 12

rushikeshvartak
All-Star
All-Star

As of today only owner can disable /enable service account except role admin. So validate if requestor have role_admin then auto reject.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hey,

Thanks for the response.
There is one more requirement where when the admin requests on behalf of the service account owner, the request should go to the service account owner for approval. How can we achieve that?

@Yashh : use this condition to if enable/disable requests are submitted by ROLE_ADMIN then send it to Owner Approval block otherwise send it to Grant block

Saathvik_0-1716482938845.png

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Yashh
New Contributor III
New Contributor III

Hey Saathvik,

Thanks for your response. Do you know what script we can use to get the owner detail in the workflow block? 

You can use custom query block

Refer https://forums.saviynt.com/t5/application-access-governance/service-account-integration-queries/m-p/... 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hey,

I had to change the query mentioned in the topic as the attribute_name column does not contain the owner key for enable and disable requests. I am using the following query now which is giving me the correct result - 
select owneruserkey from accountowners ao where FIND_IN_SET(ao.accountkey,(select distinct REPLACE(raa.attribute_value,'' '','''') from request_access_attrs raa , ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey=${ARSREQUEST.id} and raa.attribute_name=''ACCOUNTKEY''))!=0

However when I raise a request for disable account for an account having some other owner, the request goes for admins approval. I am not sure why that is happening. Could you please take a look, attaching my workflow below.

Yashh_0-1716494412498.png

 

Share output of query 

select distinct raa.* from request_access_attrs raa , ars_requests ar, request_access ra WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY and ar.requestkey='11111'


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Here you go : 

Yashh_0-1716534141131.png

 

@Yashh : You have mentioned service account but looking at query output it doesn't have the attributes it suppose to be. Can you please share the screenshots of how you are requesting service account? And how the page looks like?

Below is the screenshot how it looks like in our environment

Saathvik_0-1716556843050.png

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Yashh
New Contributor III
New Contributor III

Hey,

I am requesting for the disablement of service account that is why these attributes aren't showing up in the attribute_name of the table. Attaching screenshot for reference.

Yashh_0-1716564023617.png

 

use below query in workflow 

select distinct OWNERUSERKEY as userkey from request_access_attrs raa , ars_requests ar, request_access ra,accountowners ao WHERE ar.REQUESTKEY = ra.REQUESTKEY and ra.REQUEST_ACCESSKEY = raa.REQUEST_ACCESS_KEY AND raa.attribute_name='ACCOUNTKEY' and raa.attribute_value=ao.accountkey and ar.requestkey=${ARSREQUEST.id}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hey,

This worked. Thanks a lot!