Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

How can I keep non-expired AppKey value in REST Connection JSON and consume it for import etc.

Adithya
New Contributor III
New Contributor III

Hi Saviynt Team,

We are trying to integrate Celonis application with Saviynt v23.8

Problem statement:

Application REST APIs doesn't support any authentication, but it has non-expired AppKey for authentication.
To get response from import API in Postman, we just need to keep import API URL in URL section and in headers Authorization : AppKey xyzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz. Please see Postman screen below.

Adithya_0-1697800178469.png

Q1> Do you suggest us to keep same non-expired AppKey value in Import account JSON although it is non encrypted?
Q2> or Is there any way we can keep this non-expired AppKey in Connection JSON and get the same AppKey every time when we perform import. If yes, kindly share the sample JSON.

Please help/suggest us ASAP. Sorry we are in tight timelines. Thanks.

22 REPLIES 22

rushikeshvartak
All-Star
All-Star

You can store confidential informational in connection json and refer in other json syntax as below

 

in connection json add below line

”apikey” :”yourkey”

In import or any json refer like below

${connection.apikey}

never keep confidential information unencrypted 


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Hi Rushi,
 
Thank you. I have tried below in Connection JSON & import account JSON. Import is not working, we see 401 (Unauthorized) status code error. If I try with hard coding api key in Import account JSON, import is working. 
 
Connection JSON:
================
{
"authentications": 
{
"userAuth": 
{
"apikey": "xxxxxxxxxxxxxxx"
}
}
}
 
Import account JSON:
===================
 
 "httpHeaders": {
                        "Authorization": "AppKey ${connection.apikey}"
                    }
 
Could you please share the sample connection JSON for this case? Thanks. 

Connection JSON:
================
{
"authentications": 
{
"userAuth": 
{
"apikey": "AppKey  ZjE0ZDE3gyOTktMTQ4MTljMTEwMmZkOlZidkpPV2UVZTktKRC9lcnV2NVVzZ2V4eFRSMHhQQjBFYzFDSmxH"
}
}
}
 
Import account JSON:
===================
 
 "httpHeaders": {
                        "Authorization": "${connection.apikey}"
                    }

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Hi @rushikeshvartak ,

I have tried above connection JSON which you have provided. Still import is not workig.

If I hard code the Import Account JSON as below. I see import is working.

"httpHeaders": {
"Authorization": "AppKey ZjE0ZDE3Y2YtZWYwYy00NmU1LTgyBFYz"
}

Kindly asisst me. Thanks.

marco
Saviynt Employee
Saviynt Employee

Hi @Adithya ,

You can try this in connectionjson

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"url": "",
"httpMethod": "POST",
"httpParams": {
},
"httpContentType": "application/json",
"expiryError": "",
"authError": [],
"retryFailureStatusCode": [400, 401],
"timeOutError": "",
"errorPath": "",
"maxRefreshTryCount": 5,
"tokenResponsePath": "",
"tokenType": "Bearer",
"accessToken": "AppKey xyzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
}
}
}
 
And this in importaccount json
 
"httpHeaders": {
"Authorization": "${access_token}"
}

Adithya
New Contributor III
New Contributor III

Hi Macro,

Thank you so much. I'm able to import accounts successfully now.

But, as per the requirement I need to map role present in the below response with entitlement_glossary in accountParams. below is the mapping which I'm using, but it is not working.

Adithya_1-1698209230843.png

"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2.0:Group.role~#~char"

Kindly assit me. Thanks.

Adithya
New Contributor III
New Contributor III

Hi Macro,

Two dots were causing the issue. We were able to fix this with dot operator.

"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2~dot#0:Group.role~#~char"

Adithya
New Contributor III
New Contributor III

Hi @marco @rushikeshvartak 

Need  your assistance on the below.

I'm using "processingType": "httpEntToAcct" in acctEntParams.

But in acctEntParams looks like i need to iterate members array to get id (attribute name: value) of the users who are part of the group for act-ent mapping.

"acctIdPath": "members[0].value" - If i keep members[0] then only first user of the group is getting correlated in Saviynt.

Please see API response which I'm using in acctEntParams  and ImportAccountEntJSON below. Thanks.

Adithya_0-1698244311884.png

ImportAccountEntJSON:
=====================

{
"globalSettings": {
"dateFormat": "yyyy-MM-dd'T'HH:mm:ss"
},
"accountParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty11",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
},
"includeExistingInActiveAccounts": true,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox/user-provisioning/scim/v2/Users",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "accountID",
"colsToPropsMap": {
"name": "userName~#~char",
"accountID": "id~#~char",
"status": "active~#~bool",
"customproperty1": "displayName~#~char",
"customproperty11": "active~#~bool"
}
}
}
},
"entitlementParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"entTypes": {
"Group": {
"entTypeOrder": 0,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox/user-provisioning/scim/v2/Groups",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "displayName~#~char",
"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2~dot#0:Group.role~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {
"connection": "userAuth",
"entTypes": {
"Group": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "httpEntToAcct",
"http": {
"url": "https://sandbox/user-provisioning/scim/v2/Groups/${id}",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "",
"entIdPath": "id",
"entKeyField": "entitlementID",
"acctIdPath": "members[0].value",
"acctKeyField": "accountID"
}
}
}
}
}
}

[Moderator Edit Note: Masked sensitive info]

marco
Saviynt Employee
Saviynt Employee

@Adithya ,

Based on API response, you may try this. It automatically iterates the list of members for you.

"listField": "members",
"entKeyField": "entitlementID",
"acctIdPath": "value",
"acctKeyField": "accountID"

Adithya
New Contributor III
New Contributor III

Hi @marco @rushikeshvartak 

The above config change helps. Now I see act-ent mapping is working as expected.

But I also need pagination as per requirement. Import is not bringing all the users and groups after pagination config was added.

Kindly assist me. Thanks.

Groups API response:
===================

Adithya_0-1698330460814.png

 

Users API response:
===================

Adithya_1-1698330603658.png

 

ImportAccountEntJSON
===================
{
"globalSettings": {
"dateFormat": "yyyy-MM-dd'T'HH:mm:ss"
},
"showLogs": true,
"accountParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty11",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
},
"includeExistingInActiveAccounts": true,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox.xyz.cloud/user-provisioning/scim/v2/Users?count=10&startIndex=1",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "accountID",
"colsToPropsMap": {
"name": "userName~#~char",
"accountID": "id~#~char",
"status": "active~#~bool",
"customproperty1": "displayName~#~char",
"customproperty11": "active~#~bool"
},
"pagination": {
"nextUrl": {
"nextUrlPath": "${response?.completeResponseMap?.itemsPerPage<11?null:'https://sandbox.xyz.cloud/user-provisioning/scim/v2/Users?count=10&startIndex='+Math.addExact(respon...)}"
}
}
}
}
},
"entitlementParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"entTypes": {
"Group": {
"entTypeOrder": 0,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://sandbox.xyz.cloud/user-provisioning/scim/v2/Groups?count=2&startIndex=1",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "Resources",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"displayname": "displayName~#~char",
"entitlement_glossary": "urn:celonis:params:scim:schemas:extension:2~dot#0:Group.role~#~char"
},
"disableDeletedEntitlements": true,
"pagination": {
"nextUrl": {
"nextUrlPath": "${response?.completeResponseMap?.itemsPerPage<3?null:'https://sandbox.xyz.cloud/user-provisioning/scim/v2/Groups?count=2&startIndex='+Math.addExact(respon...)}"
}
}
}
}
}
}
},
"acctEntParams": {
"connection": "userAuth",
"entTypes": {
"Group": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"processingType": "httpEntToAcct",
"http": {
"url": "https://sandbox.xyz.cloud/user-provisioning/scim/v2/Groups/${id}",
"httpMethod": "GET",
"httpParams": "{}",
"httpHeaders": {
"Authorization": "${access_token}"
}
},
"listField": "members",
"entKeyField": "entitlementID",
"acctIdPath": "value",
"acctKeyField": "accountID"
}
}
}
}
}
}

[This message has been edited by moderator to mask sensitive info]

marco
Saviynt Employee
Saviynt Employee

@Adithya ,

You can give this a try.

"pagination": {

          "nextUrl": {

            "nextUrlPath": "${response?.objectList?.size()>0?'https://sandbox.xyz.cloud/user-provisioning/scim/v2/Users?startIndex='+Math.addExact(response.completeResponseMap.itemsPerPage,response.completeResponseMap.startIndex)+'&count='+response.completeResponseMap.itemsPerPage:null}"

          }

        }

Adithya
New Contributor III
New Contributor III

Hi @marco 

Thank you so much. I see import is working as expected with pagination now.

But, once in a while import job fails saying that failed URL, but at the same time when we check in Postman, we can see that the import API is providing a response and also target application server is up and running. 

Note: If we just replace the same connection JSON and test the connection, after that import job works as expected. Why is this occuring? Should I enable any flag to fix this issue?

I'm attaching the connection JSON and Import Account JSON for your reference. Kindly assist us. Thanks.

Adithya_0-1698568840383.png

 

Can you share postman screenshot


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Hi @rushikeshvartak @marco 

Please refer the pdf attached. It has JSON screenshots.

Kindly assist us. Thanks.

marco
Saviynt Employee
Saviynt Employee

@Adithya 

You can put the following in ConfigJSON to print out debug log if you haven't done so. Use log viewer to look into why it fails.

{
"showLogs": true
}

Adithya
New Contributor III
New Contributor III

Hi @marco 

Currently we are using below in the config JSON.  

{
"connectionTimeoutConfig": {
"connectionTimeout": 60,
"readTimeout": 500,
"writeTimeout": 500,
"retryWait": 2,
"retryCount": 3
}
}

 

Adithya_0-1698667755487.png

 

Would it be possible to keep as below? Please confirm. Thanks.

{
"showLogs": true,
"connectionTimeoutConfig": {
"connectionTimeout": 60,
"readTimeout": 500,
"writeTimeout": 500,
"retryWait": 2,
"retryCount": 3
}
}

marco
Saviynt Employee
Saviynt Employee

Yes that’s correct

Adithya
New Contributor III
New Contributor III

Hi @marco @rushikeshvartak 

Thank you so much for your support.

Adithya
New Contributor III
New Contributor III

Hi @marco 

We are facing intermittent import issue. We get 401 unauthorized error after running import. It happens mostly once in a day.

Adithya_0-1698937385366.png

Note:

1. When we check in Postman and Swagger with same AppKey at the same time, we see the response and the data. There is no access issue with the token, we have verified with app team as well and import is completly working fine all over the day except only one time.

When we replace same connection JSON and test the connection, after that import will start working.

I don't see any issue with the import json config as import works fine through out the day except only one time.

Please guide us what needs to be do in this case? Attaching the connection JSON, Improt account ent JSON and Config JSON for your Analysis.

Appreciate your response at the earliest. Thanks

marco
Saviynt Employee
Saviynt Employee

@Adithya 

I guess the accessToken in connection json is replaced internally. Try this method to see if it works.

In ConnectionJSON, add a new parameter to store your appkey. You can name it anything.

"myappkey": "AppKey xxxxxxxxxxxxxxxxxxxxxxxxxx"

In ImportaccountJSON, replace Authorization with this.

httpHeaders": {
"Authorization": "${connection.myappkey}",
"Content-Type": "application/json"
}

Adithya
New Contributor III
New Contributor III

Hi @marco 

Thank you so much for quick revert.

As you suggested, I did the changes in connection JSON and Import account ent JSON. It seems that import is working as expected.

But, how do I make sure that this intermittent issue of import will not happen in Production?

Please guide us. Appreciate your response at the earliest. Thanks

Adithya
New Contributor III
New Contributor III

Hi @marco 

We are facing one issue. As per the requirement we need to keep Create Task Action as Entitlements Only. If we keep Create Task Action as Entitlements only at security system level as below. 

Adithya_0-1698989378747.png

We see that only Add Access gets created as expected. But, when we process add access tasks, we see that new account is getting created in target application but in Saviynt account is NOT showing up.

We have tried to process the add access tasks again but internally Saviynt is triggering create account json as account is NOT showing up in Saviynt. Since the account is already present in the taraget application, create Account API throwing error saying that "User already present".

Problem: It is impacting new account creation.

Kindly guide us. Appreciate your response at the earliest. Thanks

Note: Below sucess response codes from create account API.

"successResponses": {
"statusCode": [
201
]
}