Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

GitHub - Account and Access Mapping issue - Import issue

Seshadri
New Contributor III
New Contributor III

Accounts and Access (only orgs) are imported from GitHub application, however, access i.e., Organizations are not mapped to GitHub Accounts. Also, teams are not imported into EIC.

 

 

I am attaching the Import accountentjson and API response for Team for your reference

API Response for Teams,

{
"name": "ips-test-team",
"id": 1,
"node_id": "MDQ6VGVhbTE=",
"slug": "ips-test-team",
"description": "",
"privacy": "closed",
"url": https://<Domain_name>/api/v3/organizations/17/team/1,
"html_url": https://<Domain_name>/orgs/VL-Test/teams/ips-test-team,
"members_url": https://<Domain_name>/api/v3/organizations/17/team/1/members{/member},
"repositories_url": https://<Domain_name>/api/v3/organizations/17/team/1/repos,
"permission": "pull",
"parent": null
}

[This message has been edited by moderator to merge reply comment]

30 REPLIES 30

SB
Saviynt Employee
Saviynt Employee

Can you update ConfigJSON param in the REST connection with value {"showLogs":true}. 

Since there are multiple issues we can try to isolate and fix them one by one. Can you start with the teams entitlement not getting imported. Remove the other entitlement types and only keep the Teams call. Run the import job and check the logs for below 2 strings. This should tell us if we are getting the desired response in Saviynt.

Calling Webservice Url - this will display the Call url with the body being sent from Saviynt.

Got Webservice API Response - this will display the response we get from target.


Regards,
Sahil

Seshadri
New Contributor III
New Contributor III

@SB - ConfigJSON  with  value {"showLogs":true} already in place.

I have removed remaining ent types(Orgs ,Repository) except team from supportedEntitlementTypes and ran access import.Still , the Issue remain the same.

Attaching logs and importaccountent json for your reference.

SB
Saviynt Employee
Saviynt Employee

@Seshadri You need to clean up your JSON and remove all other entitlements from under entitlementParams and acctEntParams as well. Run the import and then check if you are getting the required response in the logs.

If you are getting the required response in the logs and teams is still not getting imported as entitlement, check for the listfield value and colsToPropsMap to ensure it is mapped correctly.


Regards,
Sahil

Seshadri
New Contributor III
New Contributor III

@SB - I have removed other entitlement types except Team , and ran the access import. Now the entitlement is imported into EIC. May i know the reason behind?

Can you please help me on complete Importaccountent Json , that should work for all Ent types.

Seshadri
New Contributor III
New Contributor III

@SB - see if you can help on complete importaccountent json?

SB
Saviynt Employee
Saviynt Employee

You can refer to below guide for the JSON templates.

https://docs.saviyntcloud.com/bundle/GitHubRest-v23x/page/Content/Creating-an-Integration.htm


Regards,
Sahil

Seshadri
New Contributor III
New Contributor III

@SB - Issue has been resolved. Thanks for all your help.

AS5278
Regular Contributor II
Regular Contributor II

@Seshadri can you please share the final ImportAccntEntJson?. We are facing the same issue.

The Account-Ent mapping is not happening

Thanks.

xurde

Seshadri
New Contributor III
New Contributor III

@AS5278  - Just follow the below document.

Creating an Integration (saviyntcloud.com)

AS5278
Regular Contributor II
Regular Contributor II

Hi,

I have followed the same document. It is not getting mapped.

There is a url under 'accntEntMapping' for Repositories:

"url": "${id}/collaborators",
 
Here, there is nothing present before '${id}. Is this the right way?. Or the complete url like: https://<base url>/${id}/collaborators, is the format?. 
 
Thanks
xurde

https://<base url>/${id}/collaborators


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

AS5278
Regular Contributor II
Regular Contributor II

@rushikeshvartak @Seshadri 

I am unable to find an API for the repo collaborators and repo teams. I found one in the GitHub REST API documentation. But I am not sure how to use it as there are some things required in this API.

Like 'owner'. This is the url: https://api.github.com/repos/{owner}/{repo}/collaborators

But in this API, {owner} will be fixed to the organization name but {repo} takes the 'repo name' like:  'emc-rhodes-media'  and not id: '613830'.

But according to Saviynt doc, if we use ${id} it most probably won't work as the above API doesn't take the repo id but the repo name. And when we are importing the repositories as entitlements we are storing the repo 'id' in entitlementId.

AS5278_0-1692948543262.png

Same goes for the second call used in the accntEntMapping>Repo: 

Saviynt doc simply mentions:  "url": "${id}/teams",

It seems the saviynt documentation is referring to old APIs. The github APIs are updated and now for getting the repo collaborators and repo teams we need to pass the repo name and not the repo ID.

So, is there a binding variable in Saviynt to pass any other field of the entitlement other than 'id', when calling the API in accntEntParams?.

Can you please share the url's you have used in accntEntParams  Repository Ent typ ?. If you used the old APIs and it is still working I will use the same API. Because I am not able to find the old APIs in github docs.

Thanks,

Atul Singh

xurde

Seshadri
New Contributor III
New Contributor III

@AS5278 - https://domain_name/api/v3/orgs/orgid/outside_collaborators

Please pass the orgid and then it will return the resposne.

AS5278
Regular Contributor II
Regular Contributor II

@Seshadri 

The API you mentioned is for getting the organization collaborators(under accntEntMapping > Organization). This API is working fine for me as well.

I am looking for an API to get the Repo collaborators and teams. (under accntEntMapping > Repositories)

Thanks.

xurde

Seshadri
New Contributor III
New Contributor III

@SB - We seen one more behavior regarding Access Import -

If you run Access import for GitHub Application - we can see mapping b/w accounts and entitlements and if you just refresh, mapping is suddenly getting removed like below.

VL-Test - Organization:

CSeshadri_0-1693204591471.png

CSeshadri_1-1693204633134.png

CSeshadri_4-1693206574343.png

CSeshadri_3-1693204733100.png

Attaching ImportAccountEnt Json for you reference.Please check and confirm.

 

 

[Post edited by moderator to mask usernames from images]

 

AS5278
Regular Contributor II
Regular Contributor II

@Seshadri 

Can you please confirm if the repositories are getting mapped to accounts in your case. Or, just the organization and teams is getting mapped?.

@rushikeshvartak 

Please provide us with the API being used for the repo collaborators and repo teams(under accntEntMapping > Repostories). In my case the Organisation and Team is mapping to the accounts but the repositories are not getting mapped.

Thanks.

xurde

Seshadri
New Contributor III
New Contributor III

@AS5278 -Same here 

Seshadri
New Contributor III
New Contributor III

@SB - I am Attaching the debug logs for your reference and I don't see any issue with access import. Can you please check and let me know.

SB
Saviynt Employee
Saviynt Employee

If the mapping is not happening (Account to Entitlement), it may be an issue with the processing type you have defined or the field value path. You can refer to the below Connector guide for different processing types and the one you can use for your JSON.

https://docs.saviyntcloud.com/bundle/REST-v2022x/page/Content/Developers-Handbook.htm


Regards,
Sahil

AS5278
Regular Contributor II
Regular Contributor II

@SB @rushikeshvartak 

The mapping is happening now. But, we also need to import the repo admins as owners. This is not happening. Can you please have a look at the 'accntEntParams' > 'Repository' > call2 ?.

In our case the repo admins are coming in call2 of accntEntParams. I tried importing owners in a similar to how it is suggested for 'Team' entitlement type in the Saviynt sample json. For 'Repository' entitlement type the sample json didn't have anything.

For 'Team' the owners are getting imported but for 'Repository' it is not happening. 

I have raised a separate ticket as well for this issue: https://forums.saviynt.com/t5/identity-governance/github-repository-admin-mapping-as-entitlement-rep...

I also tried the recommended way in Saviynt docs REST Connector guide:

"Repository": {
"call": {
// call1 here...
"call2": {
"callOrder"1,
"stageNumber"14,
"inputParams": {
"entitlementname""Organization",
"statusFilter""(ev.status = 6 or ev.status = 1)"
},
"http": {
"httpHeaders": {
"Authorization""${access_token}"
},
"url""${id}/collaborators?permission=admin&per_page=100&page=1",
"httpContentType""application/x-www-form-urlencoded",
"httpMethod""GET"
},
"listField""",
"acctKeyField""accountID",
"entKeyField""customproperty1",
"acctIdPath""id",
"ownerIdPath": "id",
"ownerKeyField": "accountID",
"pagination": {
"nextUrl": {
"nextUrlPath""${headers?.Link==null?'':headers?.Link?.contains('next')?headers?.Link?.split(',')?.size()==2?headers?.Link?.split(',')[0]?.replace('<', '')?.replace('>; rel=\"next\"','')?.trim():headers?.Link?.split(',')[1].replace('<', '').replace('>; rel=\"next\"','').trim():''}"
}
}
}

Even this is not working. Am i missing something here?.

Thanks.

xurde

AS5278
Regular Contributor II
Regular Contributor II

@Seshadri In my case the mapping is happening now. The Organization, Teams, Repositories all three are getting mapped. Attaching the ImportAccntEntJSON for reference. 

But, the import of repo admins as entitlement(repo) owners is not happening.

 

xurde

Seshadri
New Contributor III
New Contributor III

@AS52785278 - Thanks for the Json. I have replaced URLS and ran the access import. Still issue remains same.

 

@SB - Have tried with different processing types also but no use.Looks like its issue with product.Please suggest.

SB
Saviynt Employee
Saviynt Employee

@Seshadri is your issue with the Repositories not getting imported? If so, can you refine your JSON to only import Repositories and then check the logs. Also, share the logs and the JSON you used if it still does not work.


Regards,
Sahil

Seshadri
New Contributor III
New Contributor III

@SB - In my case, we don't have any Repositories in order to import as an entitlement.

My issue is access is getting mapped to Accounts in EIC and removing immediately. FYI, please refer the below snaps. 

 

CSeshadri_0-1693460994825.png
CSeshadri_1-1693461006480.png

 

I have provided the logs as well in above replies.

SB
Saviynt Employee
Saviynt Employee

But the JSON you shared has Repository defined as entitlement type. If you are not using Repository, can you refine the JSON to only include the entitlements you need to import. Also, I would recommend breaking your JSON to import individual entitlements so we can know which one has the issue. And once the individual entitlement type has been fixed, we can club the JSON into one and use.


Regards,
Sahil

Seshadri
New Contributor III
New Contributor III

@SB - As per your suggestion, have removed Repository defined as entitlement type and ran the access import. Still same behavior.

And then, I have tried to import individual entitlement types, and the results are as follows,

  1. Only organization: The organization is getting mapped to the GitHub account and removed immediately.
  2. Only Team: The teams are getting assigned to GitHub Accounts. Seems like no issues with Teams.

Looks like the issue with organization defined as entitlement type. Please suggest.

Also have attached individual json. Can you please and let me know your findings.

Cc: @rushikeshvartak 

SB
Saviynt Employee
Saviynt Employee

If the mapping does happen but gets removed immediately, will need to check the logs for that. Would you also be able to share the job logs for Organization. In case sharing logs on forums is not possible, you could create an FD ticket with Support. 

 


Regards,
Sahil

Seshadri
New Contributor III
New Contributor III

@sahil - I have submitted Freshdesk ticket - 1683429 with required information.

@SB  - No response on ticket from last 25 days

https://saviyntsupport.saviynt.com/support/tickets/1683429


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Your CSM should be able to help get this expedited. Since this is a Community forum, it is handled by a different team.


Regards,
Sahil