Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/20/2024 09:17 PM
We have a custom end user sav role with these permissions:
"FEATURE_LIST":
[
"home.pendingActions",
"Manage_My_Access",
"home.recentActivity",
"Pending_Approvals",
"Application_Request",
"Request_Access_for_Self",
"Request_History",
"VIEW_KPI",
"Campaign_Templates_List",
"Create_Campaign",
"RequestEnterpriseRolesClassicUI",
"Create_AAD_Group",
"ViewSavedRequestsClassicUI",
"Certification Dashboard",
"Campaign_Edit_Templates",
"Campaign_Export",
"SOD_Function_Change_Requests",
"Create_AD_Group",
"Campaign_List",
"All_Campaign_Certification_Review_Access",
"Campaign_Summary",
"Runtime_Analytics_History_Details",
"Create_User_Request",
"Manage_Service_Account",
"View_Delegates",
"View_Existing_Access",
"Home",
"Manage_AD_Group",
"Request_Access_for_Others",
"Request_Access_for_Others__Multi_User",
"Manage_AAD_Group",
"Get_DB_Data_Runtime_Analytics"
],
"WEBSERVICE_LIST":
[
"pmgmt_resetAPIUserPassword",
"webservice_api_restful_approveRejectRequest",
"webservice_api_v5_sodEvaluation",
"webservice_apii_v5_sendEmail",
"api_v5_fetchRuntimeControlsData",
"webservice_api_v5_sapSODEvaluation",
"api_jbpm_doSignoffMS",
"api_jbpm_workflowaccessreqStartMS",
"api_jbpm_discontinueRequestMS",
"api_jbpm_getJbpmTaskIdMS",
"apiv5fetchCertificationList"
]
as you can see this role has access to create and manage AD and AAD groups, but on the "Add Group Owner" screen I am not able to select owners and get a popup saying {"error":"access denied"} as soon as I mark the check box against any user:
There are the errors in browser console:
error is on some API called setuserkeyinsessionset
am I missing some feature access? Ideally the create AD / AAD group feature should give access to this.
Even with OOTB end user role I am not able to add a group owner on this screen.
Solved! Go to Solution.
05/20/2024 09:23 PM
ADMIN - SUBMENU.ADMIN.users_userlistjson
05/20/2024 09:44 PM
@rushikeshvartak
in 24.2 we added the feature access "Admin: Users" which seems to include "/users/userlistjson" but this gives access to whole admin user repository view which we don't want to provide to end user.
userlistjson is not available "Webservice Access" tab so we can not add only this API permission it seems.
Is there a way to only add the permission to this API?
05/20/2024 09:51 PM
Currently its limitation. You need to add admin users. feature please raise enhancement ticket to map webservice under create new AAD Group
05/29/2024 01:13 AM
After triaging this issue with Saviynt support we have got below response from them:
This is a known issue and has been fixed in version 24.4
05/29/2024 08:07 AM
Did you found jira number in release notes ?
05/29/2024 09:05 PM
I haven't received any jira ticket number from Saviynt support, just a confirmation for now.
05/29/2024 09:08 PM
Please can you ask same. I dont see anything related in release notes
FON-13815 | End Users having the Reset Account Password for Others feature access assigned to their SAV role cannot reset the password for other users. Instead, they get an error message displaying {“error”}:”access denied”}. |
https://docs.saviyntcloud.com/bundle/Release-Notes/page/Content/v24x/Release-Notes-24-4.htm
05/29/2024 09:54 PM
05/29/2024 09:54 PM
Can you update same in ticket
05/29/2024 09:56 PM
I have asked them to add this to the release notes.