Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Requested Query for Role Type

Go to solution
Bharadwaj
Regular Contributor
Regular Contributor

‎06/18/2024 09:40 AM

Hi,

We have a requirement that the enterprise roles must be filtered based on the Dynamic Attribute selection. For eg. if the user selects costUnitId as "1234", the respective roles need to be filtered for Selection. (CostUnitId will be stored in roles.customproperty1 as single or multi-valued).

I have created a DynamicAttribute and "RequestType" was selected as "Account". I have also selected the "RequestType" as "Role" , but nothing works.

 

Bharadwaj_3-1718728582193.png

 

I have enabled Endpoint at the Roles level (IdentityRepository--> Roles--> Endpoint) for these enterprise roles. So when I select the application, in Step 2, I should see the list of Roles, according to the Dynamic Attribute selection.

Currently, this is not working as expected (Mentioned the respective cases below):
1. By Using Dynamic Attribute (Not working)

Bharadwaj_0-1718728353340.png

2. By Using direct value (Working - but there is no relation between selected DynamicAttribute and the visible Roles)

Bharadwaj_1-1718728424245.png

Does the config of "Requested Query for Role Type" not work if we put "Dynamic Attribute" variable inside the query?

P.S: There is a note on the Release notes V24.3 that Dynamic Attribute selection for Roles has been discontinued. But not sure if that is causing the issue.

Could you please help me clear the above query and also let me know the alternative approach for this?

 

Thanks!

0 Kudos
10 REPLIES 10

Go to solution
NM
Honored Contributor II
Honored Contributor II

‎06/18/2024 10:10 AM

Hi @Bharadwaj i will suggest instead of enterprise role create application role as you are tagging those to an endpoint.

0 Kudos

Go to solution
adriencosson
Valued Contributor
Valued Contributor

‎06/18/2024 10:11 AM

Hi @Bharadwaj ,

It shouldn't be related to 24.3 version since we are running the same in 24.4 and Role filtering on Endpoint works fine.

Is your dynamic attribute technical name is spelled accordingly as "CostUnitID" ?

A way to troubleshoot was is computed is by looking into the logs where you will be able to find how is the query looking whenever you change the value of your dynamic attribute value.

Regards,
Adrien COSSON
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star

‎06/18/2024 10:47 AM

Validate DA name used in role type config

DA : 

rushikeshvartak_0-1718732841749.png

rushikeshvartak_1-1718732857482.png

 

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II

‎06/18/2024 12:33 PM - edited ‎06/18/2024 12:34 PM

Hi @Bharadwaj , is there a need to use Enterprise roles in your use case , as you are letting user select application to request access, not the enterprise role wizard. There have been few changes done for enterprise roles in 24.3 but not for application roles.

If you try this with application roles and it works , then your scope of troubleshooting is enterprise roles only and confirms nothing wrong with the filter. (which looks right to me)

Dynamic Attribute

(Role Request > Enterprise Role)

This option is not used and is not applicable.

None. This configuration is not required.

EIC Administration Guide:

Configuring Role Requests

Dynamic Attribute

(Role Request > Emergency Access Role)

This option is not used and is not applicable.

None. This configuration is not required.

EIC Administration Guide:

Configuring Role Requests

Dynamic Attribute

Use this setting to allow addition of dynamic attributes associated with enterprise roles at the time of requesting an enterprise role. The dynamic attributes are added on the request form while requesting for enterprise roles. For more information, see Viewing or Updating Endpoints.

Note

To display dynamic attributes on the request form while requesting for enterprise roles, ensure the following:

  • Enterprise roles are tagged to an endpoint.

  • Set the Request Type as Role while creating a dynamic attribute.

  • Show Dynamic Attribute configuration at Role Level is enabled.

For more information, see Dynamic Attributes.

 

Note

Starting with Release v24.3, this configuration is no longer available.

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star

‎06/18/2024 03:51 PM

You can’t add filters on enterprise role request its not supported 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Bharadwaj
Regular Contributor
Regular Contributor

‎06/19/2024 02:31 AM - edited ‎06/19/2024 02:33 AM

Thank everyone for your prompt responses. However, I am unable to see it working, though, I have the same configs on my end.

@adriencosson Could you please share the configuration done on your side just to compare ? On the logs, I do not see the value being populated. As you can see in the logs below, there is no value being populated against r.customproperty1.

2024-06-19T10:50:01+02:00-ecm-services.WorkflownewuiService-http-nio-8080-exec-55-45qsx-DEBUG-listQry:select r from Roles r where (r.status=1 or r.id in (select rh.rolekey from Roles_History rh where rh.versionstatus=1)) and r.requestable=true and r.roletype=4 and r.endpointkey=16 and r.id not in(0) and r.id not in(-1) and (r.customproperty1='') order by r.role_name asc

@rushikeshvartak Thanks for sharing the configuration done. My configuration looks the same, but I am unable to see it working. 

Configuration done:

1. Roletype have been updated to "Application Role". "Show Dynamic Attributes" at Role Level is turned off.

2.Dynamic attribute configs:

Bharadwaj_0-1718788757749.png

Bharadwaj_1-1718788793075.png

3. Role Type configurations:

Bharadwaj_2-1718789075642.png

I have also done the configuration at the entitlement type level just to check if I am able to see the association working on the ARS form. But even on the entitlement level, it did not work.

Entitlement type Config:

Bharadwaj_4-1718789425902.png

 

ARS form:

Bharadwaj_3-1718789259926.png

Appreciate if you could identify the issue.

Thanks!

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Bharadwaj

‎06/19/2024 06:56 AM

On form select “select” on costid and again select actual value and try


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
NM
Honored Contributor II
Honored Contributor II

‎06/19/2024 02:43 AM

@Bharadwaj is the entitlement or  customproperty1 populated with dynamic attribute value?

0 Kudos

Go to solution
Bharadwaj
Regular Contributor
Regular Contributor
In response to NM

‎06/26/2024 04:45 AM

Yes, the roles have been updated with the respective values - which we are using in the dynamic attributes.

Note: We are using Neo Experience - not sure if that is causing the issue.


0 Kudos

Go to solution
NM
Honored Contributor II
Honored Contributor II

‎06/26/2024 04:53 AM

Hi @Bharadwaj , add "Mapping" in field in "What action to perform when Parent attribute changes"

0 Kudos
Copyright © 2024 Khoros, LLC