Saviynt Forums

Jari_K · ‎12/29/2023

Hello,

SOD evaluation for application role requests from Saviynt App for ServiceNow is not working as expected.

Currently if I make a request for two application roles that have risk defined from ARS both requestor and approver will see SOD violation in the request so the SOD configuration is working in EIC.

But when the request for the same two application roles is made from Saviynt App for ServiceNow SOD violation is not shown in the request. Not for requestor or approver. Request is made in SNOW and approvals happen in EIC so SOD violations should be visible for approvers.

According to documentation FAQs (saviyntcloud.com) SOD violations should be visible even on the ServiceNow on the request after the request is submitted:

What we experience now is that SOD violations are not visible even on EIC side on the request if request is made from SNOW.

How to make those SOD violations visible for approvers?

Dhruv_S · ‎01/01/2024

Hi @Jari_K

Could you please validate and confirm if the SOD configuration are there in Ruleset/Global config/ SAV Role details.

SAV ROLE->SAV Role details-> Show SOD in Request

Ruleset->Ruleset Info-Evaluate SODs in Access Request

SOD Configurations (saviyntcloud.com)

Also please note that SOD in SNOW is visible after the request is submitted. Please refer the below screenshot from FAQ.

Regards,

Dhruv Sharma

Jari_K · ‎01/02/2024

Hi @Dhruv_S

Yes, SODs are configured correctly. Violations can be seen when request is made in ARS but when request is made in ServiceNow for the same application roles violations are not evaluated, not even after request is submitted.

Also noted that EIC shows different approval UI for requests made in ARS than requests made in ServiceNow. Why?

Darshanjain · ‎01/12/2024

Hi @Jari_K

I have internally checked with the product team and confirmed that when snow app was developed the checksod params was not available via Api and later it was added hence it is not added in snow app.

Now this and account name rule will be added in next version of snow App. The timeline is not yet confirmed by product team but you can raise a ticket in ideas portal for the track of it.

Thanks

Darshan

Jari_K · ‎01/12/2024

Hi @Darshanjain ,

Thanks for checking and getting this on the fix list.

But I don't believe that explanation because the same checksod parameter for the same createrequest API is used in another function in the SNOW app (the one used for making a request for entitlements).

In

addAccessRequest : function(requesterUserID, saviyntUserID, saviyntEndpointName, securitySystem, accountName, entitlements, dynamicAttributes, comments) {

API call body is set:

var body = {
"requesttype" : "ADD",
"username": saviyntUserID,
"endpoint" : saviyntEndpointName,
"requestor": requesterUserID,
"createnewaccounttaskifnotexist": "TRUE",
"accountnamefromrule": "TRUE",
"checksod": "true",
"entitlement": entitlements,
"comments": comments
};

but in function for application roles:

addAppRolesRequest : function(requesterUserID, saviyntUserID, roles, endpointName, businessJustification, comments, startDate, endDate) {

body is set:

var body = {
"requesttype": "add",
"username": saviyntUserID,
"endpoint" : endpointName,
"createnewaccounttaskifnotexist" : "TRUE",
"roles" : requestRole,
"requestor": requesterUserID,
"comments": comments
};

In my opinion, these missing parameters for API calls should be classified as bugs in SNOW app and Saviynt employees should not make up stories why they are not implemented to all functions correctly.

But anyway, here is the idea as well: Include SOD evaluation for application role | Saviynt Ideas Portal

Saviynt Forums

SODs are not evaluated for Request Application Roles when using Saviynt App for ServiceNow