Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/20/2023 04:12 AM
Hi Saviynt Team,
We are trying to integrate Celonis application with Saviynt v23.8
Problem statement:
Application REST APIs doesn't support any authentication, but it has non-expired AppKey for authentication.
To get response from import API in Postman, we just need to keep import API URL in URL section and in headers Authorization : AppKey xyzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz. Please see Postman screen below.
Q1> Do you suggest us to keep same non-expired AppKey value in Import account JSON although it is non encrypted?
Q2> or Is there any way we can keep this non-expired AppKey in Connection JSON and get the same AppKey every time when we perform import. If yes, kindly share the sample JSON.
Please help/suggest us ASAP. Sorry we are in tight timelines. Thanks.
Solved! Go to Solution.
10/20/2023 04:15 AM
You can store confidential informational in connection json and refer in other json syntax as below
in connection json add below line
”apikey” :”yourkey”
In import or any json refer like below
${connection.apikey}
never keep confidential information unencrypted
10/20/2023 06:33 AM - last edited on 10/22/2023 10:06 PM by Sunil
10/22/2023 06:49 PM
10/22/2023 09:40 PM
Hi @rushikeshvartak ,
I have tried above connection JSON which you have provided. Still import is not workig.
If I hard code the Import Account JSON as below. I see import is working.
"httpHeaders": {
"Authorization": "AppKey ZjE0ZDE3Y2YtZWYwYy00NmU1LTgyBFYz"
}
Kindly asisst me. Thanks.
10/23/2023 12:12 AM
Hi @Adithya ,
You can try this in connectionjson
10/24/2023 09:49 PM
Hi Macro,
Thank you so much. I'm able to import accounts successfully now.
But, as per the requirement I need to map role present in the below response with entitlement_glossary in accountParams. below is the mapping which I'm using, but it is not working.
"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2.0:Group.role~#~char"
Kindly assit me. Thanks.
10/25/2023 01:16 AM
Hi Macro,
Two dots were causing the issue. We were able to fix this with dot operator.
"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2~dot#0:Group.role~#~char"
10/25/2023 07:34 AM - last edited on 10/25/2023 10:49 PM by Sunil
Need your assistance on the below.
I'm using "processingType": "httpEntToAcct" in acctEntParams.
But in acctEntParams looks like i need to iterate members array to get id (attribute name: value) of the users who are part of the group for act-ent mapping.
"acctIdPath": "members[0].value" - If i keep members[0] then only first user of the group is getting correlated in Saviynt.
Please see API response which I'm using in acctEntParams and ImportAccountEntJSON below. Thanks.
ImportAccountEntJSON:
=====================
{
"globalSettings": {
"dateFormat": "yyyy-MM-dd'T'HH:mm:ss"
},
"accountParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty11",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
},
"includeExistingInActiveAccounts": true,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox/user-provisioning/scim/v2/Users",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "accountID",
"colsToPropsMap": {
"name": "userName~#~char",
"accountID": "id~#~char",
"status": "active~#~bool",
"customproperty1": "displayName~#~char",
"customproperty11": "active~#~bool"
}
}
}
},
"entitlementParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"entTypes": {
"Group": {
"entTypeOrder": 0,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox/user-provisioning/scim/v2/Groups",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "displayName~#~char",
"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2~dot#0:Group.role~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {
"connection": "userAuth",
"entTypes": {
"Group": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "httpEntToAcct",
"http": {
"url": "https://sandbox/user-provisioning/scim/v2/Groups/${id}",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "",
"entIdPath": "id",
"entKeyField": "entitlementID",
"acctIdPath": "members[0].value",
"acctKeyField": "accountID"
}
}
}
}
}
}
[Moderator Edit Note: Masked sensitive info]
10/25/2023 07:53 PM
10/26/2023 07:32 AM - last edited on 10/30/2023 01:24 AM by Sunil
The above config change helps. Now I see act-ent mapping is working as expected.
But I also need pagination as per requirement. Import is not bringing all the users and groups after pagination config was added.
Kindly assist me. Thanks.
Groups API response:
===================
Users API response:
===================
ImportAccountEntJSON
===================
{
"globalSettings": {
"dateFormat": "yyyy-MM-dd'T'HH:mm:ss"
},
"showLogs": true,
"accountParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty11",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
},
"includeExistingInActiveAccounts": true,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox.xyz.cloud/user-provisioning/scim/v2/Users?count=10&startIndex=1",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "accountID",
"colsToPropsMap": {
"name": "userName~#~char",
"accountID": "id~#~char",
"status": "active~#~bool",
"customproperty1": "displayName~#~char",
"customproperty11": "active~#~bool"
},
"pagination": {
"nextUrl": {
"nextUrlPath": "${response?.completeResponseMap?.itemsPerPage<11?null:'https://sandbox.xyz.cloud/user-provisioning/scim/v2/Users?count=10&startIndex='+Math.addExact(respon...)}"
}
}
}
}
},
"entitlementParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"entTypes": {
"Group": {
"entTypeOrder": 0,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox.xyz.cloud/user-provisioning/scim/v2/Groups?count=2&startIndex=1",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "displayName~#~char",
"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2~dot#0:Group.role~#~char"
},
"disableDeletedEntitlements": true,
"pagination": {
"nextUrl": {
"nextUrlPath": "${response?.completeResponseMap?.itemsPerPage<3?null:'https://sandbox.xyz.cloud/user-provisioning/scim/v2/Groups?count=2&startIndex='+Math.addExact(respon...)}"
}
}
}
}
}
}
},
"acctEntParams": {
"connection": "userAuth",
"entTypes": {
"Group": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "httpEntToAcct",
"http": {
"url": "https://sandbox.xyz.cloud/user-provisioning/scim/v2/Groups/${id}",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "members",
"entKeyField": "entitlementID",
"acctIdPath": "value",
"acctKeyField": "accountID"
}
}
}
}
}
}
[This message has been edited by moderator to mask sensitive info]
10/26/2023 07:50 PM
@Adithya ,
You can give this a try.
"pagination": {
"nextUrl": {
"nextUrlPath": "${response?.objectList?.size()>0?'https://sandbox.xyz.cloud/user-provisioning/scim/v2/Users?startIndex='+Math.addExact(response.completeResponseMap.itemsPerPage,response.completeResponseMap.startIndex)+'&count='+response.completeResponseMap.itemsPerPage:null}"
}
}
10/29/2023 01:57 AM - last edited on 10/30/2023 01:26 AM by Sunil
Hi @marco
Thank you so much. I see import is working as expected with pagination now.
But, once in a while import job fails saying that failed URL, but at the same time when we check in Postman, we can see that the import API is providing a response and also target application server is up and running.
Note: If we just replace the same connection JSON and test the connection, after that import job works as expected. Why is this occuring? Should I enable any flag to fix this issue?
I'm attaching the connection JSON and Import Account JSON for your reference. Kindly assist us. Thanks.
10/29/2023 06:44 PM
Can you share postman screenshot
10/29/2023 10:46 PM - last edited on 10/30/2023 01:31 AM by Sunil
Please refer the pdf attached. It has JSON screenshots.
Kindly assist us. Thanks.
10/30/2023 02:48 AM
You can put the following in ConfigJSON to print out debug log if you haven't done so. Use log viewer to look into why it fails.
10/30/2023 05:17 AM
Hi @marco
Currently we are using below in the config JSON.
{
"connectionTimeoutConfig": {
"connectionTimeout": 60,
"readTimeout": 500,
"writeTimeout": 500,
"retryWait": 2,
"retryCount": 3
}
}
Would it be possible to keep as below? Please confirm. Thanks.
{
"showLogs": true,
"connectionTimeoutConfig": {
"connectionTimeout": 60,
"readTimeout": 500,
"writeTimeout": 500,
"retryWait": 2,
"retryCount": 3
}
}
10/30/2023 05:24 AM
Yes that’s correct
10/30/2023 08:09 PM
Thank you so much for your support.
11/02/2023 08:09 AM
Hi @marco
We are facing intermittent import issue. We get 401 unauthorized error after running import. It happens mostly once in a day.
Note:
1. When we check in Postman and Swagger with same AppKey at the same time, we see the response and the data. There is no access issue with the token, we have verified with app team as well and import is completly working fine all over the day except only one time.
When we replace same connection JSON and test the connection, after that import will start working.
I don't see any issue with the import json config as import works fine through out the day except only one time.
Please guide us what needs to be do in this case? Attaching the connection JSON, Improt account ent JSON and Config JSON for your Analysis.
Appreciate your response at the earliest. Thanks
11/02/2023 08:43 AM
I guess the accessToken in connection json is replaced internally. Try this method to see if it works.
In ConnectionJSON, add a new parameter to store your appkey. You can name it anything.
"myappkey": "AppKey xxxxxxxxxxxxxxxxxxxxxxxxxx"
In ImportaccountJSON, replace Authorization with this.
httpHeaders": {
"Authorization": "${connection.myappkey}",
"Content-Type": "application/json"
}
11/02/2023 10:32 AM
Hi @marco
Thank you so much for quick revert.
As you suggested, I did the changes in connection JSON and Import account ent JSON. It seems that import is working as expected.
But, how do I make sure that this intermittent issue of import will not happen in Production?
Please guide us. Appreciate your response at the earliest. Thanks
11/02/2023 10:37 PM - edited 11/02/2023 10:42 PM
Hi @marco
We are facing one issue. As per the requirement we need to keep Create Task Action as Entitlements Only. If we keep Create Task Action as Entitlements only at security system level as below.
We see that only Add Access gets created as expected. But, when we process add access tasks, we see that new account is getting created in target application but in Saviynt account is NOT showing up.
We have tried to process the add access tasks again but internally Saviynt is triggering create account json as account is NOT showing up in Saviynt. Since the account is already present in the taraget application, create Account API throwing error saying that "User already present".
Problem: It is impacting new account creation.
Kindly guide us. Appreciate your response at the earliest. Thanks
Note: Below sucess response codes from create account API.
"successResponses": {
"statusCode": [
201
]
}