Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/18/2024 09:40 AM
Hi,
We have a requirement that the enterprise roles must be filtered based on the Dynamic Attribute selection. For eg. if the user selects costUnitId as "1234", the respective roles need to be filtered for Selection. (CostUnitId will be stored in roles.customproperty1 as single or multi-valued).
I have created a DynamicAttribute and "RequestType" was selected as "Account". I have also selected the "RequestType" as "Role" , but nothing works.
I have enabled Endpoint at the Roles level (IdentityRepository--> Roles--> Endpoint) for these enterprise roles. So when I select the application, in Step 2, I should see the list of Roles, according to the Dynamic Attribute selection.
Currently, this is not working as expected (Mentioned the respective cases below):
1. By Using Dynamic Attribute (Not working)
2. By Using direct value (Working - but there is no relation between selected DynamicAttribute and the visible Roles)
Does the config of "Requested Query for Role Type" not work if we put "Dynamic Attribute" variable inside the query?
P.S: There is a note on the Release notes V24.3 that Dynamic Attribute selection for Roles has been discontinued. But not sure if that is causing the issue.
Could you please help me clear the above query and also let me know the alternative approach for this?
Thanks!
Solved! Go to Solution.
06/18/2024 10:10 AM
Hi @Bharadwaj i will suggest instead of enterprise role create application role as you are tagging those to an endpoint.
06/18/2024 10:11 AM
Hi @Bharadwaj ,
It shouldn't be related to 24.3 version since we are running the same in 24.4 and Role filtering on Endpoint works fine.
Is your dynamic attribute technical name is spelled accordingly as "CostUnitID" ?
A way to troubleshoot was is computed is by looking into the logs where you will be able to find how is the query looking whenever you change the value of your dynamic attribute value.
06/18/2024 10:47 AM
Validate DA name used in role type config
DA :
06/18/2024 12:33 PM - edited 06/18/2024 12:34 PM
Hi @Bharadwaj , is there a need to use Enterprise roles in your use case , as you are letting user select application to request access, not the enterprise role wizard. There have been few changes done for enterprise roles in 24.3 but not for application roles.
If you try this with application roles and it works , then your scope of troubleshooting is enterprise roles only and confirms nothing wrong with the filter. (which looks right to me)
Dynamic Attribute (Role Request > Enterprise Role) | This option is not used and is not applicable. | None. This configuration is not required. | EIC Administration Guide: |
Dynamic Attribute (Role Request > Emergency Access Role) | This option is not used and is not applicable. | None. This configuration is not required. | EIC Administration Guide: |
Dynamic Attribute | Use this setting to allow addition of dynamic attributes associated with enterprise roles at the time of requesting an enterprise role. The dynamic attributes are added on the request form while requesting for enterprise roles. For more information, see Viewing or Updating Endpoints. Note To display dynamic attributes on the request form while requesting for enterprise roles, ensure the following:
For more information, see Dynamic Attributes.
Note Starting with Release v24.3, this configuration is no longer available. |
06/18/2024 03:51 PM
You can’t add filters on enterprise role request its not supported
06/19/2024 02:31 AM - edited 06/19/2024 02:33 AM
Thank everyone for your prompt responses. However, I am unable to see it working, though, I have the same configs on my end.
@adriencosson Could you please share the configuration done on your side just to compare ? On the logs, I do not see the value being populated. As you can see in the logs below, there is no value being populated against r.customproperty1.
2024-06-19T10:50:01+02:00-ecm-services.WorkflownewuiService-http-nio-8080-exec-55-45qsx-DEBUG-listQry:select r from Roles r where (r.status=1 or r.id in (select rh.rolekey from Roles_History rh where rh.versionstatus=1)) and r.requestable=true and r.roletype=4 and r.endpointkey=16 and r.id not in(0) and r.id not in(-1) and (r.customproperty1='') order by r.role_name asc
@rushikeshvartak Thanks for sharing the configuration done. My configuration looks the same, but I am unable to see it working.
Configuration done:
1. Roletype have been updated to "Application Role". "Show Dynamic Attributes" at Role Level is turned off.
2.Dynamic attribute configs:
3. Role Type configurations:
I have also done the configuration at the entitlement type level just to check if I am able to see the association working on the ARS form. But even on the entitlement level, it did not work.
Entitlement type Config:
ARS form:
Appreciate if you could identify the issue.
Thanks!
06/19/2024 06:56 AM
On form select “select” on costid and again select actual value and try
06/19/2024 02:43 AM
@Bharadwaj is the entitlement or customproperty1 populated with dynamic attribute value?
06/26/2024 04:45 AM
Yes, the roles have been updated with the respective values - which we are using in the dynamic attributes.
Note: We are using Neo Experience - not sure if that is causing the issue.
06/26/2024 04:53 AM