Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Endpoint based visibility of Request History

haardik_verma
Regular Contributor
Regular Contributor

Hi,

We are looking for a way to give an user the access to Request History page where the user should only be able to see requests from a certain endpoint only.

We tested the below things:

1) We changed the Access to Endpoints in Sav Role

 

haardik_verma_1-1675073352882.png

This did not work. The user was able to see all the requests from all the endpoints.

2) Used View all requests submitted for the endpoint(s) retrieved option in Request History of sav role

haardik_verma_3-1675073562958.png

This opens a box to write HQL query:

haardik_verma_4-1675073672470.png

 

We tried the below queries 

i) select a from Endpoints a where a.id=16 - NOT SHOWING REQUESTS THAT HAVE MULTIPLE ENDPOINTS.

Like, these below requests are not shown to the sav role user.

haardik_verma_5-1675074409089.png

 

ii) select a from Endpoints a where a.id in (select ed.id from Endpoints ed where ed.endpointname like '%SAP%') - NOT WORKING

iii) select a from Endpoints a where a.id in (16,17,18) - NOT SHOWING REQUESTS WITH MULTIPLE ENDPOINTS

iv) select a from Endpoints a where a.id=16 UNION select a from Endpoints a where a.id=18 - SHOWING ONLY ENDPOINT ID 16 REQUESTS

v) select a from Endpoints a where a.id=16 and a.id=18 - NOT WORKING


Thanks & Regards,
Haardik Verma
8 REPLIES 8

rushikeshvartak
All-Star
All-Star

rushikeshvartak_0-1675077919242.png

https://forums.saviynt.com/t5/identity-governance/request-history-visibility-issues/td-p/10348


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak .

This did not work..

Kept the HQL as 

select a from Endpoints a where a.customproperty6='RequestHistorySAP'

And populated cp6 as RequestHistorySAP for 4 SAP endpoints, but only those requests were visible which were requested for single endpoint...

 


Thanks & Regards,
Haardik Verma

Single endpoint meaning just one application one time not multiple in one request ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Yes,

The admin sav role user is able to see those requests which has multiple endpoints, but these requests are not visible to the sav role user, for which that HQL is configured.

So, suppose we configured the HQL 

select a from Endpoints a where a.customproperty6='RequestHistorySAP' 

for SAV Role "SAV_Test" 

And suppose these below are all the requests that ADMIN sav role user can see

 

RequestId Request Type Requested For Requested By Request Submit Date Due Date Assignee Endpoints Request Origin Status

123456

Grant Access

TestUser123Haardik Verma (username)01-Feb-2023 16:58:2811-Feb-2023 16:58:28TestManagerSAP1, SAP2UICompleted 
654321

Grant Access

TestUser321Haardik Verma (username)31-Jan-2023 14:25:3710-Feb-2023 14:25:37TestManagerSAP2, SAP3UICompleted
123654

Grant Access

TestUser345Haardik Verma (username)31-Jan-2023 14:25:3710-Feb-2023 14:25:37TestManagerSAP2UICompleted
123789

Grant Access

TestUser543Haardik Verma (username)31-Jan-2023 14:25:3710-Feb-2023 14:25:37TestManagerSAP3UICompleted

 

CASE 1: customproperty6=RequestHistorySAP  for the endpoints SAP2

Outcome: The "SAV_Test" Sav role user is only able to see the Request 123654

Expected: he should be able to see request 123456, 654321 and 123654

 

CASE 2: customproperty6=RequestHistorySAP  for the endpoints SAP2 and SAP3

Outcome: The "SAV_Test" Sav role user is only able to see the Request 123654 and 123789

Expected: he should be able to see all 4 requests

 

CASE 3: customproperty6=RequestHistorySAP  for the endpoints SAP1      

Outcome: The "SAV_Test" Sav role user is not able to see any Request.

Expected: he should be able to see Request 123456

 


Thanks & Regards,
Haardik Verma

I see this as defect, when request is raised for multiple application. Please raise Freshdesk ticket


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Manu269
All-Star
All-Star

@haardik_verma The issue was replicable even in EIC higher version. I suggest reaching out to Saviynt and for resolution please post here.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

Darshanjain
Saviynt Employee
Saviynt Employee

@haardik_verma 

Let me just explain how it is working , when we have multiple endpoints in ars table it is stored as comma separated values,

 
But when we give the condition in endpoint table as specific id's, the backend query formed is 
 
endpoint condition,
 
select a from endpoints where a.id in (10,11)
 
SELECT COUNT(DISTINCT AR.REQUESTKEY) AS TOTAL              
                     FROM ARS_REQUESTS AR, REQUEST_ACCESS RA, ACCESS_APPROVERS AA
                     WHERE AR.REQUESTKEY = RA.REQUESTKEY AND   AA.REQUEST_ACCESS_KEY = RA.REQUEST_ACCESSKEY 
                     AND AR.JBPMPROCESSINSTANCEID IS NOT NULL
   AND (  ( AR.ENDPOINTASCSV = 'REST' or AR.ENDPOINTASCSV = 'okta' ) )  and aa.status in (-1,1,2,3,4,5,6)
 
Here AR.endpointcsv value is stored in request as REST,okta. 
 
It will be taken as a bug and engineering team will work on it.
 

Thanks for the valueable inputs @rushikeshvartak @Manu269 and @Darshanjain .

We did raise Saviynt ticket last week and they have taken this up with their engineering team.

I will update here as soon as it is fixed.


Thanks & Regards,
Haardik Verma