and more in a single search tool across platforms. Read the announcement here. |
12/29/2023 02:27 AM - edited 12/29/2023 02:27 AM
Hello,
SOD evaluation for application role requests from Saviynt App for ServiceNow is not working as expected.
Currently if I make a request for two application roles that have risk defined from ARS both requestor and approver will see SOD violation in the request so the SOD configuration is working in EIC.
But when the request for the same two application roles is made from Saviynt App for ServiceNow SOD violation is not shown in the request. Not for requestor or approver. Request is made in SNOW and approvals happen in EIC so SOD violations should be visible for approvers.
According to documentation FAQs (saviyntcloud.com) SOD violations should be visible even on the ServiceNow on the request after the request is submitted:
What we experience now is that SOD violations are not visible even on EIC side on the request if request is made from SNOW.
How to make those SOD violations visible for approvers?
01/01/2024 10:07 PM
Hi @Jari_K
Could you please validate and confirm if the SOD configuration are there in Ruleset/Global config/ SAV Role details.
SAV ROLE->SAV Role details-> Show SOD in Request
Ruleset->Ruleset Info-Evaluate SODs in Access Request
Regards,
Dhruv Sharma
01/02/2024 12:17 AM
Hi @Dhruv_S
Yes, SODs are configured correctly. Violations can be seen when request is made in ARS but when request is made in ServiceNow for the same application roles violations are not evaluated, not even after request is submitted.
Also noted that EIC shows different approval UI for requests made in ARS than requests made in ServiceNow. Why?
01/12/2024 02:42 AM
Hi @Jari_K
I have internally checked with the product team and confirmed that when snow app was developed the checksod params was not available via Api and later it was added hence it is not added in snow app.
Now this and account name rule will be added in next version of snow App. The timeline is not yet confirmed by product team but you can raise a ticket in ideas portal for the track of it.
Thanks
Darshan
01/12/2024 02:57 AM - edited 01/12/2024 03:34 AM
Hi @Darshanjain ,
Thanks for checking and getting this on the fix list.
But I don't believe that explanation because the same checksod parameter for the same createrequest API is used in another function in the SNOW app (the one used for making a request for entitlements).
In
addAccessRequest : function(requesterUserID, saviyntUserID, saviyntEndpointName, securitySystem, accountName, entitlements, dynamicAttributes, comments) {
API call body is set:
var body = {
"requesttype" : "ADD",
"username": saviyntUserID,
"endpoint" : saviyntEndpointName,
"requestor": requesterUserID,
"createnewaccounttaskifnotexist": "TRUE",
"accountnamefromrule": "TRUE",
"checksod": "true",
"entitlement": entitlements,
"comments": comments
};
but in function for application roles:
addAppRolesRequest : function(requesterUserID, saviyntUserID, roles, endpointName, businessJustification, comments, startDate, endDate) {
body is set:
var body = {
"requesttype": "add",
"username": saviyntUserID,
"endpoint" : endpointName,
"createnewaccounttaskifnotexist" : "TRUE",
"roles" : requestRole,
"requestor": requesterUserID,
"comments": comments
};
In my opinion, these missing parameters for API calls should be classified as bugs in SNOW app and Saviynt employees should not make up stories why they are not implemented to all functions correctly.
But anyway, here is the idea as well: Include SOD evaluation for application role | Saviynt Ideas Portal