Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Request Disappearing when Requestor is the Approver

vermilyacd1
Regular Contributor
Regular Contributor

We have a basic workflow that requires entitlement owner approval for access requests. When the requestor happens to be the entitlement owner, the approval is skipped (as expected). This works great for entitlements from AD. However, we're seeing odd behavior on entitlements for AzureAD. As long as the requestor is NOT the entitlement owner, everything works fine. But when the requestor is the entitlement owner, the request just disappears. We see the confirmation screen but the 'Next Approver' is blank, and the request never shows up in Request History. I can find the record in ars_requests but there is not much to see there. There is absolutely nothing in logs either.

Any thoughts??

This is v2020

9 REPLIES 9

Miguel
Saviynt Employee
Saviynt Employee

Hello!  Thank you for your question!   We are investigating an answer. Someone will get back to you soon.

 Miguel

Thanks, Miguel

rushikeshvartak
All-Star
All-Star

It seems workflow is going in never ending loop. can u share if else logic wiring snippet 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

vermilyacd1
Regular Contributor
Regular Contributor

sure thing, here is the full workflow. as the logs don't map the workflow progress, i'm not sure where it's getting stuck to give you a specific snippet.


<?xml version="1.0" encoding="UTF-8"?>
<process key="ADGroupManagementApproval"
name="ADGroupManagementApproval" xmlns="http://jbpm.org/4.4/jpdl">
<start name="Start">
<transition to="foreachAccessRequest"/>
</start>
<foreach in="#{RequestAccessKeys}" name="foreachAccessRequest" var="requestaccesskey">
<transition to="CheckAccountExists"/>
</foreach>

<decision name="CheckConfidentialityCritical">
<transition to="RejectAccessCritical">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 5) eq true }"/>
</transition>
<transition to="CheckConfidentialityHigh">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 5) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityHigh">
<transition to="CheckRequestTypeAdd">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == null) or (entitlementslist.get(requestaccesskey).confidentiality == 4) or (entitlementslist.get(requestaccesskey).confidentiality == 0)) eq true }"/>
</transition>
<transition to="CheckConfidentialityMedium">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == null) or (entitlementslist.get(requestaccesskey).confidentiality == 4) or (entitlementslist.get(requestaccesskey).confidentiality == 0)) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityMedium">
<transition to="CheckOwnerSize2">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 3) eq true }"/>
</transition>
<transition to="CheckConfidentialityLowVeryLow">
<condition expr="#{(entitlementslist.get(requestaccesskey).confidentiality == 3) ne true }"/>
</transition>
</decision>
<decision name="CheckConfidentialityLowVeryLow">
<transition to="GrantAccessLow">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == 2) or (entitlementslist.get(requestaccesskey).confidentiality == 1)) eq true }"/>
</transition>
<transition to="RejectAccessNoConfidentiality">
<condition expr="#{((entitlementslist.get(requestaccesskey).confidentiality == 2) or (entitlementslist.get(requestaccesskey).confidentiality == 1)) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessMedium">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Alert Notification___GrantAccessMedium"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccess">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected___RejectAccess"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessLow">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<task name="OwnerApproval">
<assignment-handler class="com.saviynt.workflowmgt.RoleOwnerAssignHandlerAllRankApprByOne">
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Esclated By OwnerApproval" to="OwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required"/>
</field>
<field name="nottemplate2">
<string value="Access Request - Request Submitted"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
<transition name="Approved By OwnerApproval" to="GrantAccessHigh"/>
<transition name="Rejected By OwnerApproval" to="RejectAccess"/>
</task>
<java class="com.saviynt.workflowmgt.grantaccess"
method="createAccess" name="GrantAccessHigh">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<task name="DefaultOwnerApproval">
<transition name="Esclated By DefaultOwnerApproval" to="DefaultOwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<assignment-handler class="com.saviynt.workflowmgt.ArsCustomAssignmentHandler">
<field name="fieldname">
<string value="UserGroup___Default AD Group Approvers___Any Owner Approval Required"/>
</field>
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Approved By DefaultOwnerApproval" to="GrantAccessHigh"/>
<transition name="Rejected By DefaultOwnerApproval" to="RejectAccess"/>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required - Default Owner"/>
</field>
<field name="nottemplate2">
<string value="Access Request - Request Submitted"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
</task>
<decision name="CheckOwnerSize">
<transition to="OwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) eq true }"/>
</transition>
<transition to="DefaultOwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessNoConfidentiality">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - No Confidentiality___RejectAccessNoConfidentiality"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<decision name="CheckAccountExists">
<transition to="RejectAccessNoAccount">
<condition expr="#{(requestcounts.NEW_ACC_REQUESTS_COUNT > 0) eq true }"/>
</transition>
<transition to="CheckConfidentialityCritical">
<condition expr="#{(requestcounts.NEW_ACC_REQUESTS_COUNT > 0) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessNoAccount">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - No Account___RejectAccessNoAccount"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<decision name="CheckOwnerSize2">
<transition to="GrantAccessMedium">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) eq true }"/>
</transition>
<transition to="DefaultOwnerApproval">
<condition expr="#{(entitlementslist.get(requestaccesskey).entowners.size() > 0) ne true }"/>
</transition>
</decision>
<decision name="CheckRequestTypeAdd">
<transition to="CheckOwnerSize">
<condition expr="#{(ars_requests.requesttype == 1) eq true }"/>
</transition>
<transition to="CheckRequestTypeRemove">
<condition expr="#{(ars_requests.requesttype == 1) ne true }"/>
</transition>
</decision>
<decision name="CheckRequestTypeRemove">
<transition to="GrantAccessHigh">
<condition expr="#{((ars_requests.requesttype == 2) and (requestedby.username == user.username)) eq true }"/>
</transition>
<transition to="CheckOwnerSize">
<condition expr="#{((ars_requests.requesttype == 2) and (requestedby.username == user.username)) ne true }"/>
</transition>
</decision>
<java class="com.saviynt.workflowmgt.rejectaccess"
method="denyAccess" name="RejectAccessCritical">
<arg>
<object expr="#{requestaccesskey}"/>
</arg>
<arg>
<object expr="Access Request - Rejected - Closed Group___RejectAccessCritical"/>
</arg>
<transition to="All Approvals Complete Check"/>
</java>
<task name="DefaultOwnerApprovalEscalation">
<transition name="Esclated By DefaultOwnerApprovalEscalation" to="DefaultOwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<assignment-handler class="com.saviynt.workflowmgt.ArsCustomAssignmentHandler">
<field name="fieldname">
<string value="UserGroup___Default AD Group Approvers___Any Owner Approval Required"/>
</field>
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Approved By DefaultOwnerApprovalEscalation" to="GrantAccessHigh"/>
<transition name="Rejected By DefaultOwnerApprovalEscalation" to="RejectAccess"/>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required - Default Owner"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
</task>
<task name="OwnerApprovalEscalation">
<assignment-handler class="com.saviynt.workflowmgt.RoleOwnerAssignHandlerAllRankApprByOne">
<field name="mitigatingControlRisk">
<string value="[]"/>
</field>
</assignment-handler>
<transition name="Esclated By OwnerApprovalEscalation" to="OwnerApprovalEscalation">
<timer duedate="2 days"/>
</transition>
<on event="start">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="Access Request - Action Required"/>
</field>
</event-listener>
</on>
<on event="end">
<event-listener class="com.saviynt.workflowmgt.JBPMTaskEventListner">
<field name="msg">
<string value="null"/>
</field>
</event-listener>
</on>
<transition name="Approved By OwnerApprovalEscalation" to="GrantAccessHigh"/>
<transition name="Rejected By OwnerApprovalEscalation" to="RejectAccess"/>
</task>
<join multiplicity="#{quorum}" name="All Approvals Complete Check">
<transition to="End Request"/>
</join>
<java class="com.saviynt.workflowmgt.endrequest"
method="arsendrequest" name="End Request">
<arg>
<object expr="#{reqid}"/>
</arg>
<transition to="endRequest"/>
</java>
<end name="endRequest"/>
</process>

Dave
Community Manager
Community Manager

Hi @vermilyacd1 

Could you please reply with the full logs to help us triage this issue?  

To attach a file, first click the reply button. And then notice the following below the text box: 
logs.JPG

 

vermilyacd1
Regular Contributor
Regular Contributor

sure thing. started the test at 2022-05-24/16:16:00. I am not allowed to upload .log, .txt. or .zip files i get errors like the below. What format do you support?

vermilyacd1_0-1653409266025.png

 

vermilyacd1
Regular Contributor
Regular Contributor

here are the logs starting at 2022-05-24/16:16:00

2022-05-24/16:16:01.974 [{}] [https-jsse-nio-443-exec-79] DEBUG rest.JwtService - Parsed an HMAC signed JWT
2022-05-24/16:16:01.976 [{}] [https-jsse-nio-443-exec-79] DEBUG rest.JwtService - Parsed an HMAC signed JWT
2022-05-24/16:16:01.978 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - isValidRedirectionRequestFromMS - msRedirectUrl:
2022-05-24/16:16:01.978 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - isValidRedirectionRequestFromMS - msSubdomain:
2022-05-24/16:16:01.979 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - enableV6Config: 1
2022-05-24/16:16:01.980 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - isValidRedirectionRequestFromMS: true
2022-05-24/16:16:01.980 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - accessTokenCookieFromMS is empty and isValidRedirectionRequestFromMS true.
2022-05-24/16:16:01.980 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - msSubdomain before generating token = cdk-dev.saviyntcloud.com
2022-05-24/16:16:01.980 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Generating an access token with default expiration: null
2022-05-24/16:16:01.980 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - setting value for defaultExpiration:
2022-05-24/16:16:01.980 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Inside setDefaultExpirationTime..
2022-05-24/16:16:01.980 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - User with vermilyac found.
2022-05-24/16:16:01.981 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - setDefaultExpirationTime - defaultExpiration for normal employee type: 1800
2022-05-24/16:16:01.981 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Serializing the principal received
2022-05-24/16:16:01.982 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Setting expiration to 1800
2022-05-24/16:16:01.983 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Generated claim set.
2022-05-24/16:16:01.983 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Generating access token...
2022-05-24/16:16:01.983 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Generating refresh token...
2022-05-24/16:16:01.983 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Setting expiration to 1800
2022-05-24/16:16:01.983 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Generated claim set.
2022-05-24/16:16:01.984 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - accessTokenCookie populated
2022-05-24/16:16:01.984 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - Refresh token will not be generated
2022-05-24/16:16:01.984 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - token_type Cookie populated
2022-05-24/16:16:01.984 [{}] [https-jsse-nio-443-exec-79] DEBUG security.RestTokenGeneratorService - userNameCookie populated
2022-05-24/16:16:02.102 [{}] [https-jsse-nio-443-exec-79] DEBUG ws.Restfulv5Controller - Default max limit is set to 50
2022-05-24/16:16:02.141 [{}] [https-jsse-nio-443-exec-79] DEBUG ws.Restfulv5Controller - EntValueList - [50496, 50497, 50498, 50499, 392326, 50500, 50501, 50439, 50505, 81544, 50508, 50515, 50516, 50517, 50518, 50519, 590161, 50458, 50459, 50524, 50526, 50529, 440610, 569446, 590267, 711920, 569462, 50495]
2022-05-24/16:16:02.141 [{}] [https-jsse-nio-443-exec-79] DEBUG ws.Restfulv5Controller - sapRolestoEvaluate - [50496, 50497, 50498, 50499, 392326, 50500, 50501, 50439, 50505, 81544, 50508, 50515, 50516, 50517, 50518, 50519, 590161, 50458, 50459, 50524, 50526, 50529, 440610, 569446, 590267, 711920, 569462, 50495]
2022-05-24/16:16:02.141 [{}] [https-jsse-nio-443-exec-79] DEBUG ws.Restfulv5Controller - Calling riskSODEvaluationByUser for - [50496, 50497, 50498, 50499, 392326, 50500, 50501, 50439, 50505, 81544, 50508, 50515, 50516, 50517, 50518, 50519, 590161, 50458, 50459, 50524, 50526, 50529, 440610, 569446, 590267, 711920, 569462, 50495], Risk - [com.saviynt.ecm.ruleset.Risks : 1]
2022-05-24/16:16:02.145 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Building FunctionObj Map
2022-05-24/16:16:02.146 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - FunctionObj Map built
2022-05-24/16:16:02.146 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Evaluating functions that should be evaluated
2022-05-24/16:16:02.146 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Excluded Entitlements identified
2022-05-24/16:16:02.146 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - depthForSODEval: 2
2022-05-24/16:16:02.147 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - ChildRole relationship built...Evaluating functions that will be required to evaluate for SAP
2022-05-24/16:16:02.147 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - SAP Function Qry executed...Evaluating functions that will be required to evaluate for NONSAP
2022-05-24/16:16:02.147 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - NONSAP Function Qry executed
2022-05-24/16:16:02.147 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Adding data for functions which contain * tcode
2022-05-24/16:16:02.147 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - SELECT DISTINCT FUNCTIONKEY FROM FUNCTION_OBJECTS, ENTITLEMENT_VALUES
WHERE FUNCTION_OBJECTS.ENTITITLEMENT_VALUEKEY=ENTITLEMENT_VALUES.ENTITLEMENT_VALUEKEY
AND ENTITLEMENT_VALUES.ENTITLEMENT_VALUE='*' AND FUNCTION_OBJECTS.STATUS=0

2022-05-24/16:16:02.148 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Total Functions that need to be evaluated - 0
2022-05-24/16:16:02.150 [{}] [https-jsse-nio-443-exec-79] DEBUG refresh.RefreshService - Expiring Mitigating Controls ..
2022-05-24/16:16:02.166 [{}] [https-jsse-nio-443-exec-79] DEBUG refresh.RefreshService - update mc_risk_account-- update MC_Risk_Account m set m.status = 0 where m.status = 1 and m.endDate < now()
2022-05-24/16:16:02.186 [{}] [https-jsse-nio-443-exec-79] DEBUG refresh.RefreshService - updated 0 records in mc_risk_account
2022-05-24/16:16:02.186 [{}] [https-jsse-nio-443-exec-79] DEBUG refresh.RefreshService - totalMitigatingControlsExpired :: 0
2022-05-24/16:16:02.204 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - totalMitigatingControlsExpired :: 0
2022-05-24/16:16:02.205 [{}] [https-jsse-nio-443-exec-79] INFO epic.RiskSODEvaluationService - Evaluating Risk # 1 - of 1 - RISK001
2022-05-24/16:16:02.205 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Maximum amount of Memory that the Java Virtual Machine can use: 11488.5 MB
2022-05-24/16:16:02.206 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Total Memory: 11488.5 MB
2022-05-24/16:16:02.206 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - Done for RISKRISK001
2022-05-24/16:16:02.206 [{}] [https-jsse-nio-443-exec-79] DEBUG epic.RiskSODEvaluationService - SodRisks that are no longer there - 0
2022-05-24/16:16:02.207 [{}] [https-jsse-nio-443-exec-79] DEBUG ws.Restfulv5Controller - SOD Eval returned 0
2022-05-24/16:16:04.843 [{}] [https-jsse-nio-443-exec-88] DEBUG auth.LoginController - Default Setup
2022-05-24/16:16:04.843 [{}] [https-jsse-nio-443-exec-88] DEBUG auth.LoginController - URL TO SAML LOGIN2=/ECM/login/index?login=true&idp=https://sts.windows.net/2916a955-0360-416d-ba9a-1608933b9065/ JSESSIONID =00CEE83922B1AF49026B7C5B9995D2BB
2022-05-24/16:16:20.908 [{}] [https-jsse-nio-443-exec-87] DEBUG controllers.LogsController - Entered downloadMultiLogs
2022-05-24/16:16:20.910 [{}] [https-jsse-nio-443-exec-87] DEBUG log.LoggerService - logFileAndPath: /opt/sharedappdrive/saviynt/logs/debugLog-100.64.114.49.log
2022-05-24/16:16:20.921 [{}] [https-jsse-nio-443-exec-87] DEBUG log.LoggerService - Files to Zip = [/opt/sharedappdrive/saviynt/logs/debugLog-100.64.114.49.log]
2022-05-24/16:16:20.922 [{}] [https-jsse-nio-443-exec-87] DEBUG export.ExcelExportService - Enter createZipFile

vermilyacd1
Regular Contributor
Regular Contributor

Through additional testing, I have confirmed the problem is in the TASK: Access Approval action. It is not working when the requestor is the approver, and only for one security system...

Any thoughts?

Nikitaj
Saviynt Employee
Saviynt Employee

Hi,

As this needs more triaging on the logs request you to please raise a freshdesk ticket for this.

Thanks

Nikita


Thanks
Nikita

vermilyacd1
Regular Contributor
Regular Contributor

This is due to the fact that when the approver is the requestor and the requestor is also the user being granted access, Saviynt will not allow the user to approve their own request (confusing enough?)

This is to preserve the audit trail, a user should not be able to request access to an entitlement they own and also be able to approve it. Best practice is to have more than one approver.