Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Requested Query for Role Type

Bharadwaj
Regular Contributor
Regular Contributor

Hi,

We have a requirement that the enterprise roles must be filtered based on the Dynamic Attribute selection. For eg. if the user selects costUnitId as "1234", the respective roles need to be filtered for Selection. (CostUnitId will be stored in roles.customproperty1 as single or multi-valued).

I have created a DynamicAttribute and "RequestType" was selected as "Account". I have also selected the "RequestType" as "Role" , but nothing works.

 

Bharadwaj_3-1718728582193.png

 

I have enabled Endpoint at the Roles level (IdentityRepository--> Roles--> Endpoint) for these enterprise roles. So when I select the application, in Step 2, I should see the list of Roles, according to the Dynamic Attribute selection.

Currently, this is not working as expected (Mentioned the respective cases below):
1. By Using Dynamic Attribute (Not working)

Bharadwaj_0-1718728353340.png

2. By Using direct value (Working - but there is no relation between selected DynamicAttribute and the visible Roles)

Bharadwaj_1-1718728424245.png

Does the config of "Requested Query for Role Type" not work if we put "Dynamic Attribute" variable inside the query?

P.S: There is a note on the Release notes V24.3 that Dynamic Attribute selection for Roles has been discontinued. But not sure if that is causing the issue.

Could you please help me clear the above query and also let me know the alternative approach for this?

 

Thanks!

10 REPLIES 10

NM
Valued Contributor II
Valued Contributor II

Hi @Bharadwaj i will suggest instead of enterprise role create application role as you are tagging those to an endpoint.

adriencosson
Valued Contributor
Valued Contributor

Hi @Bharadwaj ,

It shouldn't be related to 24.3 version since we are running the same in 24.4 and Role filtering on Endpoint works fine.

Is your dynamic attribute technical name is spelled accordingly as "CostUnitID" ?

A way to troubleshoot was is computed is by looking into the logs where you will be able to find how is the query looking whenever you change the value of your dynamic attribute value.

Regards,
Adrien COSSON

rushikeshvartak
All-Star
All-Star

Validate DA name used in role type config

DA : 

rushikeshvartak_0-1718732841749.png

rushikeshvartak_1-1718732857482.png

 

 


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

AmitM
Valued Contributor
Valued Contributor

Hi @Bharadwaj , is there a need to use Enterprise roles in your use case , as you are letting user select application to request access, not the enterprise role wizard. There have been few changes done for enterprise roles in 24.3 but not for application roles.

If you try this with application roles and it works , then your scope of troubleshooting is enterprise roles only and confirms nothing wrong with the filter. (which looks right to me)

Dynamic Attribute

(Role Request > Enterprise Role)

This option is not used and is not applicable.

None. This configuration is not required.

EIC Administration Guide:

Configuring Role Requests

Dynamic Attribute

(Role Request > Emergency Access Role)

This option is not used and is not applicable.

None. This configuration is not required.

EIC Administration Guide:

Configuring Role Requests

Dynamic Attribute

Use this setting to allow addition of dynamic attributes associated with enterprise roles at the time of requesting an enterprise role. The dynamic attributes are added on the request form while requesting for enterprise roles. For more information, see Viewing or Updating Endpoints.

Note

To display dynamic attributes on the request form while requesting for enterprise roles, ensure the following:

  • Enterprise roles are tagged to an endpoint.

  • Set the Request Type as Role while creating a dynamic attribute.

  • Show Dynamic Attribute configuration at Role Level is enabled.

For more information, see Dynamic Attributes.

 

Note

Starting with Release v24.3, this configuration is no longer available.

rushikeshvartak
All-Star
All-Star

You can’t add filters on enterprise role request its not supported 


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Bharadwaj
Regular Contributor
Regular Contributor

Thank everyone for your prompt responses. However, I am unable to see it working, though, I have the same configs on my end.

@adriencosson Could you please share the configuration done on your side just to compare ? On the logs, I do not see the value being populated. As you can see in the logs below, there is no value being populated against r.customproperty1.

2024-06-19T10:50:01+02:00-ecm-services.WorkflownewuiService-http-nio-8080-exec-55-45qsx-DEBUG-listQry:select r from Roles r where (r.status=1 or r.id in (select rh.rolekey from Roles_History rh where rh.versionstatus=1)) and r.requestable=true and r.roletype=4 and r.endpointkey=16 and r.id not in(0) and r.id not in(-1) and (r.customproperty1='') order by r.role_name asc

@rushikeshvartak Thanks for sharing the configuration done. My configuration looks the same, but I am unable to see it working. 

Configuration done:

1. Roletype have been updated to "Application Role". "Show Dynamic Attributes" at Role Level is turned off.

2.Dynamic attribute configs:

Bharadwaj_0-1718788757749.png

Bharadwaj_1-1718788793075.png

3. Role Type configurations:

Bharadwaj_2-1718789075642.png

I have also done the configuration at the entitlement type level just to check if I am able to see the association working on the ARS form. But even on the entitlement level, it did not work.

Entitlement type Config:

Bharadwaj_4-1718789425902.png

 

ARS form:

Bharadwaj_3-1718789259926.png

Appreciate if you could identify the issue.

Thanks!

On form select “select” on costid and again select actual value and try


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

NM
Valued Contributor II
Valued Contributor II

@Bharadwaj is the entitlement or  customproperty1 populated with dynamic attribute value?

Bharadwaj
Regular Contributor
Regular Contributor

Yes, the roles have been updated with the respective values - which we are using in the dynamic attributes.

Note: We are using Neo Experience - not sure if that is causing the issue.


NM
Valued Contributor II
Valued Contributor II

Hi @Bharadwaj , add "Mapping" in field in "What action to perform when Parent attribute changes"