This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

REST Connector - Remove Multiple roles assigned from user(JSON not working)

rohitkumarraj
New Contributor III
New Contributor III

‎06/29/2023 12:54 AM

Hi,

 

I am working on onboarding ForgeRock on Saviynt. We have an issue with Remove role json.

Note: User-role membership is stored in "Get User" api. Sample data below

{
"_id": "bb100c04-3a93-444a-b1a3-fa67ae992779",
"_rev": "2411708f-0d81-4a77-88f2-05a872d0e114-95615",
"mail": "sees@am2.bp.com",
"frIndexedString1": "0584191a-fdfd-42b1-ac09-fc947f5fa922",
"givenName": "Samantha",
"sn": "See",
"preferences": null,
"userName": "9f0312d4-b40a-4e59-9558-17df7960cce7",
"ownerOfOrg": [],
"roles": [],
"authzRoles":
{
"_ref": "internal/role/8f962d55-682a-4288-8966-0affc2e6338b",
"_refResourceCollection": "internal/role",
"_refResourceId": "8f962d55-682a-4288-8966-0affc2e6338b",  <---- This is entitlement value
"_refProperties": {
"_id": "37cb6443-203b-425d-a02e-a7e2b14994e8",   <---- this value gets generated only when a entitlement is assigned to user. This is unique value
"_rev": "2411708f-0d81-4a77-88f2-05a872d0e114-95611"   <---- this value gets generated only when a entitlement is assigned to user. This is unique value
}
},
{
"_ref": "internal/role/1e77c8a7-9b70-4c86-96cf-7c94ab990f4e",
"_refResourceCollection": "internal/role",
"_refResourceId": "1e77c8a7-9b70-4c86-96cf-7c94ab990f4e",   <---- This is entitlement value
"_refProperties": {
"_id": "4241ae4c-aec9-46cd-8008-a4e5c12ca4d1",       <---- this value gets generated only when a entitlement is assigned to user. This is unique value
"_rev": "2411708f-0d81-4a77-88f2-05a872d0e114-95614"   <---- this value gets generated only when a entitlement is assigned to user. This is unique value
}
},
{
"_ref": "internal/role/83c4bdae-c75f-4ea2-ba18-b431995cbed6",
"_refResourceCollection": "internal/role",
"_refResourceId": "83c4bdae-c75f-4ea2-ba18-b431995cbed6",      <---- This is entitlement value
"_refProperties": {
"_id": "edab113f-fa65-443b-91c3-7d7adcae5f37",  <---- this value gets generated only when a entitlement is assigned to user. This is unique value
"_rev": "2411708f-0d81-4a77-88f2-05a872d0e114-95600"  <---- this value gets generated only when a entitlement is assigned to user. This is unique value
}
}
]
}

The way remove role api works is:

1. We need to first make a GET call on user to get the unique "_id" & "_rev"(you can see that highlighted in above json), and assign those _id & _rev in the PATCH call to remove all the entitlements from the user(respective _id & _rev has to be passed, that's a challenge).

2.  Here is the JSON i have build which is working fine for single entitlement removal from user:

{
"call": [
{
"name": "Group",
"connection": "userAuth",
"url": "https://xyz/openidm/managed/alpha_user/${account.accountID}?_fields=*,*_ref",
"httpMethod": "GET",
"httpParams": "",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
202
]
},
"unsuccessResponses": {
"statusCode": [
400,
401,
403,
404,
429,
500,
503
]
}
},
{
"name": "Group",
"connection": "userAuth",
"url": "httpxyz/openidm/managed/alpha_user/${account.accountID}?_fields=*,*_ref",
"httpMethod": "PATCH",
"httpParams": "[{\"operation\":\"remove\",\"field\":\"/authzRoles\",\"value\":{\"_ref\":\"internal/role/${entitlementValue.entitlementID}\",\"_refResourceCollection\":\"internal/role\",\"_refResourceId\":\"${entitlementValue.entitlementID}\",\"_refProperties\":{\"_id\":\"${response.Group1.message.authzRoles[0]._refProperties._id}\",\"_rev\":\"${response.Group1.message.authzRoles[0]._refProperties._rev}\"}}}]",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
202
]
},
"unsuccessResponses": {
"statusCode": [
400,
401,
403,
404,
409,
429,
500,
503
]
}
}
]
}

This is working json for 1 ent removal but when we have more than one ents to be removed that's where its becoming complex.

Issue: We need to retrieve the _id & _rev from GET call(see above user-ents membership data) and then compare (if 3 ents are part of single ent removal request) then if it matches then only pass that ent's _id & _rev field to PATCH call.

I tried writing a for loop to iterate through all the data and pass accordingly but failed. Not sure how/what syntax will be used to achieve this.

Can anyone help me out to resolve this issue? Need to pass multiple _id & _rev in PATCH to make the removal role a success.

Thanks,

Rohit

0 Kudos
4 REPLIES 4

khalidakhter
Saviynt Employee
Saviynt Employee

‎07/03/2023 01:37 AM

Hi @rohitkumarraj 

REST connector does not support using new keyword anymore due to security concerns. So, you cannot iterate and check for required entitlement.

Please create a Saviynt service ticket for this to get it supported if possible with any workaround.

0 Kudos

rohitkumarraj
New Contributor III
New Contributor III
In response to khalidakhter

‎07/03/2023 05:14 AM

Sure, thanks for the info @khalidakhter 

0 Kudos

rohitkumarraj
New Contributor III
New Contributor III

‎07/03/2023 05:13 AM - edited ‎07/03/2023 05:14 AM

Here are few more try, but unfortunately none of any worked:

{
"call": [
{
"name": "Group",
"connection": "userAuth",
"url": "https://xyz/openidm/managed/alpha_user/${account.accountID}?_fields=authzRoles",
"httpMethod": "GET",
"httpParams": "",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
202
]
},
"unsuccessResponses": {
"statusCode": [
400,
401,
403,
404,
429,
500,
503
]
}
},
{
"name": "Group",
"connection": "userAuth",
"url": "https://xyz/openidm/managed/alpha_user/${account.accountID}?_fields=authzRoles",
"httpMethod": "PATCH",
"httpParams": "[{\"operation\":\"remove\",\"field\":\"/authzRoles\",\"value\":{\"_ref\":\"internal/role/${entitlementValue.entitlementID}\",\"_refResourceCollection\":\"internal/role\",\"_refResourceId\":\"${entitlementValue.entitlementID}\",\"_refProperties\":{\"_id\" : \"${if(response.'Group1'.message.authzRoles?.size()>0) {{ArrayList finalArr = new ArrayList(); ArrayList arr = response.'Group1'.message.authzRoles;arr.each{if(_refResourceId.equals(entitlementValue.entitlementID)){return _refProperties._id} else {''}} else{''}}\",\"_rev\":\"${if(response.'Group1'.message.authzRoles?.size()>0) {{ArrayList finalArr = new ArrayList(); ArrayList arr = response.'Group1'.message.authzRoles;arr.each{if(_refResourceId.equals(entitlementValue.entitlementID)){return _refProperties._rev} else {''}} else{''}}\"}}}]",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200
]
},
"unsuccessResponses": {
"statusCode": [
400,
401,
403,
404,
409,
500,
503
]
}
}
]
}

Another try:

{
  "call": [
    {
      "name": "Group",
      "connection": "userAuth",
      "httpMethod": "GET",
      "httpParams": "",
      "httpHeaders": {
        "Authorization": "${access_token}"
      },
      "httpContentType": "application/json",
      "successResponses": {
        "statusCode": [
          200,
          201,
          202
        ]
      },
      "unsuccessResponses": {
        "statusCode": [
          400,
          401,
          403,
          404,
          429,
          500,
          503
        ]
      }
    },
    {
      "name": "Group",
      "connection": "userAuth",
      "httpMethod": "PATCH",
      "httpParams": "[{\"operation\":\"remove\",\"field\":\"/authzRoles\",\"value\":{\"_ref\":\"internal/role/${entitlementValue.entitlementID}\",\"_refResourceCollection\":\"internal/role\",\"_refResourceId\":\"${entitlementValue.entitlementID}\",\"_refProperties\":{\"_id\" : \"${List responseList = response.Group1.message.authzRoles; int count = 0; int size = responseList.size(); Iterator iterator = responseList.iterator(); while (iterator.hasNext()){count++; Map dataMap = iterator.next(); if(${entitlementValue.entitlementID}.equals(dataMap._refResourceId)){return dataMap._refProperties._id}else {''}}}\",\"_rev\":\"${List responseList = response.Group1.message.authzRoles; int count = 0; int size = responseList.size(); Iterator iterator = responseList.iterator(); while (iterator.hasNext()){count++; Map dataMap = iterator.next(); if(${entitlementValue.entitlementID}.equals(dataMap._refResourceId)){return dataMap._refProperties._rev}else {''}}}\"}}}]",
      "httpHeaders": {
        "Authorization": "${access_token}"
      },
      "httpContentType": "application/json",
      "successResponses": {
        "statusCode": [
          200
        ]
      },
      "unsuccessResponses": {
        "statusCode": [
          400,
          401,
          403,
          404,
          409,
          500,
          503
        ]
      }
    }
  ]
}

Here the logic are breakdown into two parts:

1. Get the entitlement list from the response and compare each "_refResourceId(ent id)" with Saviynt entValue.entId 

2. If it matches then pull the respective "_id" & "rev" value for that entitlement and pass to call 2 i.e. PATCH call.

 

If anyone can help to make the json working, would be very helpful!!

Thanks,

Rohit

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to rohitkumarraj

‎07/03/2023 10:18 PM

Use Jar connector 


Regards,
Rushikesh Vartak
If the response is helpful, please click Accept As Solution and kudos it.
0 Kudos
Copyright © 2023 Khoros, LLC