Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Unable to add owners to AD groups and AAD groups with group creation forms

yogesh2
Regular Contributor
Regular Contributor

We have a custom end user sav role with these permissions:

 

 

    "FEATURE_LIST": 
    [
      "home.pendingActions",
      "Manage_My_Access",
      "home.recentActivity",
      "Pending_Approvals",
      "Application_Request",
      "Request_Access_for_Self",
      "Request_History",
      "VIEW_KPI",
      "Campaign_Templates_List",
      "Create_Campaign",
      "RequestEnterpriseRolesClassicUI",
      "Create_AAD_Group",
      "ViewSavedRequestsClassicUI",
      "Certification Dashboard",
      "Campaign_Edit_Templates",
      "Campaign_Export",
      "SOD_Function_Change_Requests",
      "Create_AD_Group",
      "Campaign_List",
      "All_Campaign_Certification_Review_Access",
      "Campaign_Summary",
      "Runtime_Analytics_History_Details",
      "Create_User_Request",
      "Manage_Service_Account",
      "View_Delegates",
      "View_Existing_Access",
      "Home",
      "Manage_AD_Group",
      "Request_Access_for_Others",
      "Request_Access_for_Others__Multi_User",
      "Manage_AAD_Group",
      "Get_DB_Data_Runtime_Analytics"
    ],
    "WEBSERVICE_LIST": 
    [
      "pmgmt_resetAPIUserPassword",
      "webservice_api_restful_approveRejectRequest",
      "webservice_api_v5_sodEvaluation",
      "webservice_apii_v5_sendEmail",
      "api_v5_fetchRuntimeControlsData",
      "webservice_api_v5_sapSODEvaluation",
      "api_jbpm_doSignoffMS",
      "api_jbpm_workflowaccessreqStartMS",
      "api_jbpm_discontinueRequestMS",
      "api_jbpm_getJbpmTaskIdMS",
      "apiv5fetchCertificationList"
    ]

 

 

 as you can see this role has access to create and manage AD and AAD groups, but on the "Add Group Owner" screen I am not able to select owners and get a popup saying {"error":"access denied"} as soon as I mark the check box against any user:

 

yogesh2_1-1716264806187.png

There are the errors in browser console:

yogesh2_2-1716264816829.png
error is on some API called setuserkeyinsessionset

am I missing some feature access? Ideally the create AD / AAD group feature should give access to this.

Even with OOTB end user role I am not able to add a group owner on this screen.

10 REPLIES 10

rushikeshvartak
All-Star
All-Star

Refer https://forums.saviynt.com/t5/data-access-governance/pop-up-error-in-ad-group-management/m-p/44621#M... 

ADMIN -    SUBMENU.ADMIN.users_userlistjson


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak 
in 24.2 we added the feature access "Admin: Users" which seems to include "/users/userlistjson" but this gives access to whole admin user repository view which we don't want to provide to end user.
yogesh2_0-1716266459599.png

userlistjson is not available "Webservice Access"  tab so we can not add only this API permission it seems.

Is there a way to only add the permission to this API?

Currently its limitation. You need to add admin users. feature please raise enhancement ticket to map webservice under create new AAD Group 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

yogesh2
Regular Contributor
Regular Contributor

After triaging this issue with Saviynt support we have got below response from them:

This is a known issue and has been fixed in version 24.4

Did you found jira number in release notes ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

I haven't received any jira ticket number from Saviynt support, just a confirmation for now.

Please can you ask same. I dont see anything related in release notes

FON-13815

End Users having the Reset Account Password for Others feature access assigned to their SAV role cannot reset the password for other users. Instead, they get an error message displaying {“error”}:”access denied”}.

https://docs.saviyntcloud.com/bundle/Release-Notes/page/Content/v24x/Release-Notes-24-4.htm


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Got the details:
Version Release: 24.4
Version Date: Apr 2024
Jira Ticket #: OM-9594
 
But I don't see this one in the release notes.

Can you update same in ticket


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

I have asked them to add this to the release notes.