Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Sav4Sav REST Connector - Cannot Add Account or Add Access

ArW
New Contributor III
New Contributor III

Hello,

For some internal usecase we are using a Sav4Sav Rest Endpoint as a way for users to request custom entitlements.
The goal is to provision accounts and access (entitlements) when an access request is performed by a user. These entitlements are lated processed through an analytics.

However, we are struggling to provision accounts and access using the default connector parameters:
Here is our ConnectionJSON

{
    "authentications": {
        "userAuth": {
            "authType": "oauth2",
            "url": "<OUR_TENANT>/ECM/api/login",
            "httpMethod": "POST",
            "httpParams": "{\"username\": \"<SAVIYNT_API_USER\",\"password\": \"<SAVIYNT_API_PASSWORD>\"}",
            "httpContentType": "application/json",
            "httpHeaders": {
                "Content-Type": "application/json"
            },
            "authError": [
                "USER_AUTHENTICATION_FAILED",
                "PARTNER_AUTHENTICATION_FAILED",
                "AuthenticationFailed"
            ],
            "errorPath": "errorCode",
            "maxRefreshTryCount": 5,
            "tokenResponsePath": "access_token",
            "tokenType": "Bearer",
            "authHeaderName": "Authorization",
            "accessToken": "Bearer abcd",
            "retryFailureStatusCode": [
                401
            ],
			"testConnectionParams": {
				"http": {
					"url": "<OUR_TENANT>/ECM/api/v5/user?q=accountExpired:0&fields=firstname,lastname,username&sort=username&order=desc&offset=2&max=2",
					"httpContentType": "application/json",
					"httpHeaders": {
						"Authorization": "${access_token}"
					},
					"httpMethod": "GET"
				},
				"successResponse": [
					"200",
					"Successful"
				],
				"successResponsePath": "msg",
				"errors": [
					"fail",
					"error",
					"invalid_token"
				],
				"errorPath": "responseText"
			}
        }
    }
}

The connection is successful when we save the modifications

Our CreateAccountJSON is 

{
  "accountIdPath": "accountName",
  "responseColsToPropsMap": {

  },
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "<OUR_TENANT>/ECM/api/v5/createAccount",
      "httpMethod": "POST",
      "httpParams": "{\"securitysystem\":\"Sayvint4SayvintEntitlement\",\"endpoint\":\"Sayvint4SayvintEntitlement\",\"name\":\"${user.username}\",\"username\":\"${user.username}\",\"requestor\":\"${user.username}\",\"accountowner\":[{\"type\":\"user\",\"value\":\"${user.username}\",\"rank\":\"1\"}],\"displayname\":\"${user.displayname}\",\"comments\":\"${user.comments}\",\"accountid\":\"${user.username}\"}",
      "httpHeaders": {
        "Authorization": "${access_token}"
      },
      "httpContentType": "application/json",
      "successResponses": {
        "statusCode": [
          200,
          201,
          204,
          205
        ]
      }
    }
  ]
}

And our AddAccessJSON is

{
  "accountIdPath": "accountName",
  "responseColsToPropsMap": {

  },
  "call": [
    {
      "name": "call1",
      "connection": "userAuth",
      "url": "<OUR_TENANT>/ECM/api/v5/assignAccountToEntitlement",
      "httpMethod": "POST",
      "httpParams": "{\"securitysystem\":\"Sayvint4SayvintEntitlement\",\"endpoint\":\"Sayvint4SayvintEntitlement\",\"accountname\":\"${account.name}\",\"entitlementtype\":\"BusinessUnits\"},\"entitlementvalue\":\"${entitlementValue.entitlementID}\"",
      "httpHeaders": {
        "Authorization": "${access_token}"
      },
      "httpContentType": "application/json",
      "successResponses": {
        "statusCode": [
          200,
          201,
          204,
          205
        ]
      }
    }
  ]
}

We tested both CreateAccount and AddAccess requests viaPostman and they work

Do you any idea where the issue can come from ?

10 REPLIES 10

stalluri
Valued Contributor II
Valued Contributor II

@ArW 

Have you created Endpoint/SS and bought in current users_accounts and access to Saviynt?

Once it is done you will submit a ARS request and it will create the tasks and you can provisioning the access to the account.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

ArW
New Contributor III
New Contributor III

Hello,

Yes I have created a Security System and Endpoint

I already have users in Saviynt however I won't have any existing accounts for this endpoint, those will only be used to set some custom entitlements for internal purpose.

I have already tried to request an entitlement through ARS and it successfully created a Task.
However, the account and entitlement are not created even when running a WSRETRY job

stalluri
Valued Contributor II
Valued Contributor II

@ArW 
Is the provisioning connection selected in the Security System?
IS automated provisioning enabled in the Security System?

Can you also share the logs in the txt file.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

  • Can you share logs after running WSRETRY for specific task

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ArW
New Contributor III
New Contributor III

@stalluri 
Yes the provisioning connection is enabled
I have set automated provisioning to true, it was disabled.

After checking the provisioning was successfull
I thought that automated provisioning was meant to trigger jobs automatically 

If it does not work like this how are you supposed to trigger a job after an account was created ?


  • Automated Provisioning is used for provisioning CRUD operation.
  • You need to schedule WSRETRY job for provisioning.
  • For Import Import jobs needs to be scheduled.
  • Unless you don't schedule it wont import or process any data

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ArW
New Contributor III
New Contributor III

Also, for now I have set "entitlementtype":"BusinessUnits" in the JSON, but in the future I would like for it to be dynamic. Is it possible to get the entitlement type within the $entitlementValue object ?

No it cant be dynamic


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

stalluri
Valued Contributor II
Valued Contributor II

@ArW 
It can't be dynamic. You can create a multi-call and construct the JSON.

{
    "call": [
        {
            "name": "BusinessUnits",
            "connection": "acctAuth",
            "url": "XXXXX",
            "httpMethod": "POST",
            "httpContentType": "application/json",
            "httpParams": "{\"username\":\"${account.accountID}\",\"rolename\":\"${entitlementValue.entitlementID}\",\"operation\":\"1\"}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "successResponses": {
                "statusCode": [
                    200,
                    201
                ]
            }
        },
        {
            "name": "SavRole",
            "connection": "acctAuth",
            "url": "XXXXXX",
            "httpMethod": "POST",
            "httpContentType": "application/json",
            "httpParams": "{\"username\":\"${account.accountID}\",\"rolename\":\"${entitlementValue.entitlementID}\",\"operation\":\"1\"}",
            "httpHeaders": {
                "Authorization": "${access_token}"
            },
            "successResponses": {
                "statusCode": [
                    200,
                    201
                ]
            }
        }
    ]
}

Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

Amit_Malik
Valued Contributor II
Valued Contributor II

@ArW , you can have as many multi calls for each possible type of entitlemen.

Saviynt ootb will pick the call for which request is made.

You can refer below doc for multi call samples (and sample as this is quite common use case the)

https://docs.saviyntcloud.com/bundle/AzureAD-v24x/page/Content/Configuring-the-Integration-for-Provi...

{
"call": [
{
"name": "SKU",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users/${account.accountID}/assignLicense",
"httpMethod": "POST",
"httpParams": "{\"addLicenses\": [{\"disabledPlans\": [],\"skuId\": \"${entitlementValue.entitlementID}\"}],\"removeLicenses\": []}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "ApplicationInstance",
"connection": "entAuth",
"url": "https://graph.windows.net/myorganization/users/${account.accountID}/appRoleAssignedTo?api-version=1....",
"httpMethod": "POST",
"httpParams": "{\"principalId\": \"${account.accountID}\", \"id\": \"${}\", \"resourceId\": \"${entitlementValue.entitlementID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "Team",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
}
]
}

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".