Saviynt Forums

varunpuri · ‎11/16/2023

Requirement :

Eg : A User within Saviynt has an account on an endpoint and that account already has 2 entitlements of a specific entitlement type.

User requests one more entitlement of the same entitlement type using ARS. After the approvals are done, Add Access task is created in Saviynt.

Now, in the AddAccessJSON, we need to fetch those 2 entitlements which the user already has, separate them with a comma delimiter, then fetch the entitlement which the user requested for the same entitlement type using ARS, append that entitlement as well to the comma delimited string created above and then send the complete string ahead to the target system.

From within AddAccessJSON, we understand that a dynamic attribute can be called which can refer to a requestee object, but from within that dynamic attribute, is it also possible to refer to the task details so that we can get the exact name of the account for which Add Access task has been triggered.
So, the flow which we are looking forward to is :

AddAccessJSON -> refers Dynamic Attribute -> fetches the exact account name from the task so that using that account name we can fetch the entitlements already associated with that account.

Is this possible ?

Best Regards,
Varun

SB · ‎11/17/2023

Is there an api call than can give the information of the existing entitlements that the user has? If there is an api, you can construct a multi call JSON.

In your 1st call, the existing entitlements can be fetched

In the 2nd call, you can create a groovy function to store the response of call1, collect existing entitlements and add the currently selected/approved entitlement using add function.

You can refer this forum post for an example of Remove Access and in your case you can use add function instead of replace. A sample of which is below.

\"Roles\":[${List roleNameList = response.Roles2.message.User.Roles.collect{it.toString()}; roleNameList.add(entitlementValue.entitlement_value.toString());String rolesStr = roleNameList.toString().replace('[','').replace(']','').replace('\"','');return rolesStr;}]

Regards,
Sahil

varunpuri · ‎11/18/2023

Hello @SB,

I have attempted to configure AddAccessJSON as per your suggestion. Please find the JSON below :

{
"call": [
{
"name": "app3_b2croles",
"connection": "userAuthForSaviynt",
"url": "https://DOMAIN/ECM/api/v5/getEntitlements",
"httpMethod": "POST",
"httpParams": "{\"username\":\"${user.username}\",\"endpoint\":\"AzureADB2C_APP3\",\"entitlementtype\":\"app3_b2croles\",\"accountname\":\"${arstasksObj?.accountName}\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201
]
},
"unsuccessResponses": {
"error": "RecordInvalid"
}
},
{
"name": "app3_b2croles",
"connection": "userAuthForB2C",
"url": "https://graph.microsoft.com/v1.0/users/${account.accountID}",
"httpMethod": "PATCH",
"httpParams": "{\"extension_22afe096dd2048f0bfe0ba42ffb5c947_App3access\": \"${for (Map map : response.app3_b2croles1.message.Entitlementdetails){rolesStr = rolesStr + map.entitlement_value;}return return new com.fasterxml.jackson.databind.ObjectMapper().writeValueAsString(rolesStr);}\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204
]
},
"unsuccessResponses": {
"error": "RecordInvalid"
}
}
]
}

I can see in the logs, that the first call which is userAuthForSaviynt, is working fine. It is fetching the entitlements which this user has.
The 2nd call also works fine, but the problem is that the Java code written is not getting executed. I have tried a few things :

1. "httpParams": "{\"extension_22afe096dd2048f0bfe0ba42ffb5c947_App3access\": \"${for (Map map : response.app3_b2croles1.message.Entitlementdetails){rolesStr = rolesStr + map.entitlement_value;}return return new com.fasterxml.jackson.databind.ObjectMapper().writeValueAsString(rolesStr);}\"}"
Outcome : The complete Java snippet gets passed as String and goes to the user profile in B2C, snapshot below :

2. "httpParams": "{\"extension_22afe096dd2048f0bfe0ba42ffb5c947_App3access\": ${for (Map map : response.app3_b2croles1.message.Entitlementdetails){rolesStr = rolesStr + map.entitlement_value;}return return new com.fasterxml.jackson.databind.ObjectMapper().writeValueAsString(rolesStr);}}"
Outcome : I get the following error in logs :

"Unrecognized token '$': was expecting ('true', 'false' or 'null')

Any suggestions please ?

Please note that following is the format in which data is returned by Saviynt in the first API call i.e., call to /ECM/api/v5/getEntitlements. Subsequently, in the 2nd call, I am trying to read this data in the httpParams

{

"msg": "Successful",

"Entitlementdetails": [

{

"entitlementTypeName": "anz_app3_b2croles",

"entitlementType": "anz_app3_b2croles",

"endpoint": "AzureADB2C_ANZ_APP3",

"displayname": "SomeRole4",

"entitlement_value": "SomeRole4",

"accounts": [

{

"enddate": "",

"accountname": "ANZB2CUser1",

"updatedate": "2023-11-18 16:21:11",

"startdate": "2023-11-18 16:21:11"

}

]

},

{

"entitlementTypeName": "anz_app3_b2croles",

"entitlementType": "anz_app3_b2croles",

"endpoint": "AzureADB2C_ANZ_APP3",

"displayname": "SomeRole3",

"entitlement_value": "SomeRole3",

"accounts": [

{

"enddate": "",

"accountname": "ANZB2CUser1",

"updatedate": "2023-11-18 16:21:11",

"startdate": "2023-11-18 16:21:11"

}

]

}

],

"totalEntitlementCount": 3,

"entitlementsCount": 3,

"errorCode": "0"

}

Best Regards,
Varun

SB · ‎11/20/2023

You will need to use Groovy for writing the function. Sample for that is added in my previous comment and also the forum link shared.

Regards,
Sahil

varunpuri · ‎11/20/2023

Hello @SB,

The forum post which you've shared is using groovy to fetch the role names from a JSON construct which has a format different than the JSON construct from which I have to fetch the entitlement values. I have pasted the JSON construct which I get as a result after the first call is made to fetchEntitlements API in the AddAccessJSON.

It returns a List by the name Entitlementdetails and within that list are individual maps. So, I am trying to iterate over the list and fetch the entitlement values from within each map.

Have referred the Developer Handbook documentation too. In there, they have mentioned a groovy script to iterate over List of Maps. I am trying to do likewise but getting error.

Would appreciate any help here.

Best Regards,
Varun

SB · ‎11/21/2023

Since this is a groovy function, you can use an online Groovy validator to validate your function and then use the same in Saviynt.

Regards,
Sahil

Saviynt Forums

Fetching Task Information via Dynamic Attributes

\"Roles\":[${List roleNameList = response.Roles2.message.User.Roles.collect{it.toString()}; roleNameList.add(entitlementValue.entitlement_value.toString());String rolesStr = roleNameList.toString().replace('[','').replace(']','').replace('\"','');return rolesStr;}]