Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/03/2024 08:14 AM
Hello,
For some internal usecase we are using a Sav4Sav Rest Endpoint as a way for users to request custom entitlements.
The goal is to provision accounts and access (entitlements) when an access request is performed by a user. These entitlements are lated processed through an analytics.
However, we are struggling to provision accounts and access using the default connector parameters:
Here is our ConnectionJSON
{
"authentications": {
"userAuth": {
"authType": "oauth2",
"url": "<OUR_TENANT>/ECM/api/login",
"httpMethod": "POST",
"httpParams": "{\"username\": \"<SAVIYNT_API_USER\",\"password\": \"<SAVIYNT_API_PASSWORD>\"}",
"httpContentType": "application/json",
"httpHeaders": {
"Content-Type": "application/json"
},
"authError": [
"USER_AUTHENTICATION_FAILED",
"PARTNER_AUTHENTICATION_FAILED",
"AuthenticationFailed"
],
"errorPath": "errorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"tokenType": "Bearer",
"authHeaderName": "Authorization",
"accessToken": "Bearer abcd",
"retryFailureStatusCode": [
401
],
"testConnectionParams": {
"http": {
"url": "<OUR_TENANT>/ECM/api/v5/user?q=accountExpired:0&fields=firstname,lastname,username&sort=username&order=desc&offset=2&max=2",
"httpContentType": "application/json",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "GET"
},
"successResponse": [
"200",
"Successful"
],
"successResponsePath": "msg",
"errors": [
"fail",
"error",
"invalid_token"
],
"errorPath": "responseText"
}
}
}
}
The connection is successful when we save the modifications
Our CreateAccountJSON is
{
"accountIdPath": "accountName",
"responseColsToPropsMap": {
},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "<OUR_TENANT>/ECM/api/v5/createAccount",
"httpMethod": "POST",
"httpParams": "{\"securitysystem\":\"Sayvint4SayvintEntitlement\",\"endpoint\":\"Sayvint4SayvintEntitlement\",\"name\":\"${user.username}\",\"username\":\"${user.username}\",\"requestor\":\"${user.username}\",\"accountowner\":[{\"type\":\"user\",\"value\":\"${user.username}\",\"rank\":\"1\"}],\"displayname\":\"${user.displayname}\",\"comments\":\"${user.comments}\",\"accountid\":\"${user.username}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
}
]
}
And our AddAccessJSON is
{
"accountIdPath": "accountName",
"responseColsToPropsMap": {
},
"call": [
{
"name": "call1",
"connection": "userAuth",
"url": "<OUR_TENANT>/ECM/api/v5/assignAccountToEntitlement",
"httpMethod": "POST",
"httpParams": "{\"securitysystem\":\"Sayvint4SayvintEntitlement\",\"endpoint\":\"Sayvint4SayvintEntitlement\",\"accountname\":\"${account.name}\",\"entitlementtype\":\"BusinessUnits\"},\"entitlementvalue\":\"${entitlementValue.entitlementID}\"",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
}
]
}
We tested both CreateAccount and AddAccess requests viaPostman and they work
Do you any idea where the issue can come from ?
Solved! Go to Solution.
09/03/2024 08:19 AM
@ArW
Have you created Endpoint/SS and bought in current users_accounts and access to Saviynt?
Once it is done you will submit a ARS request and it will create the tasks and you can provisioning the access to the account.
09/03/2024 08:28 AM
Hello,
Yes I have created a Security System and Endpoint
I already have users in Saviynt however I won't have any existing accounts for this endpoint, those will only be used to set some custom entitlements for internal purpose.
I have already tried to request an entitlement through ARS and it successfully created a Task.
However, the account and entitlement are not created even when running a WSRETRY job
09/03/2024 08:38 AM
@ArW
Is the provisioning connection selected in the Security System?
IS automated provisioning enabled in the Security System?
Can you also share the logs in the txt file.
09/03/2024 08:43 AM
09/03/2024 08:56 AM
@stalluri
Yes the provisioning connection is enabled
I have set automated provisioning to true, it was disabled.
After checking the provisioning was successfull
I thought that automated provisioning was meant to trigger jobs automatically
If it does not work like this how are you supposed to trigger a job after an account was created ?
09/03/2024 08:59 AM
09/03/2024 08:59 AM
Also, for now I have set "entitlementtype":"BusinessUnits" in the JSON, but in the future I would like for it to be dynamic. Is it possible to get the entitlement type within the $entitlementValue object ?
09/03/2024 09:17 AM
No it cant be dynamic
09/03/2024 01:06 PM
@ArW
It can't be dynamic. You can create a multi-call and construct the JSON.
{
"call": [
{
"name": "BusinessUnits",
"connection": "acctAuth",
"url": "XXXXX",
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"username\":\"${account.accountID}\",\"rolename\":\"${entitlementValue.entitlementID}\",\"operation\":\"1\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201
]
}
},
{
"name": "SavRole",
"connection": "acctAuth",
"url": "XXXXXX",
"httpMethod": "POST",
"httpContentType": "application/json",
"httpParams": "{\"username\":\"${account.accountID}\",\"rolename\":\"${entitlementValue.entitlementID}\",\"operation\":\"1\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"successResponses": {
"statusCode": [
200,
201
]
}
}
]
}
09/04/2024 12:19 AM
@ArW , you can have as many multi calls for each possible type of entitlemen.
Saviynt ootb will pick the call for which request is made.
You can refer below doc for multi call samples (and sample as this is quite common use case the)
{
"call": [
{
"name": "SKU",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users/${account.accountID}/assignLicense",
"httpMethod": "POST",
"httpParams": "{\"addLicenses\": [{\"disabledPlans\": [],\"skuId\": \"${entitlementValue.entitlementID}\"}],\"removeLicenses\": []}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
},
{
"name": "AADGroup",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "ApplicationInstance",
"connection": "entAuth",
"url": "https://graph.windows.net/myorganization/users/${account.accountID}/appRoleAssignedTo?api-version=1....",
"httpMethod": "POST",
"httpParams": "{\"principalId\": \"${account.accountID}\", \"id\": \"${}\", \"resourceId\": \"${entitlementValue.entitlementID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "Team",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/groups/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
}
]
}