Saviynt Forums

krecpond · ‎02/06/2024

My use case is to update isCallcenter attribute on a target EP1 (SaaS application) based on an AD group provisioned in target EP2 (Active Directory).

Users will request an AD entitlement on EP2 which when provisioned must trigger an update automatically to EP1 to update the isCallcenter attribute.

How can this be done through a seamless unified process within Saviynt without having to schedule an actionable analytics at a regular frequency? Having an actionable analytics is a disjoint solution.....

AmitM · ‎02/06/2024

Hi @krecpond ,

One solution could be that you create an entitlement type in ep 1 and a dummy entitlement. Map it with AD entitlement using entitlement map or associated entitlement.

When Somebody request ad entitlement, a task for this other endpoint dummy ent will also be created.

In your provisioning json, you can make update account API call for that ent type add access.

Hope it works!! And also suits your needs.

You can also wait for more ideas but let me know if this works for you.

Br,

Amit

krecpond · ‎02/06/2024

This will not work because we already have add access json configured for EP1. We cannot replace that with an update account JSON.

AmitM · ‎02/06/2024

Hi @krecpond , that is why we are creating a new entitlement type else would have created the dummy entitlement in existing one, right.

You can have separate calls for different ent types. Like in Azure ad , aadgroup has its json, directory role has its own.

Similar way with this new entitlement type, use update account APIs. Like below :

{
"call": [
{
"name": "SKU",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/users/${account.accountID}/assignLicense",
"httpMethod": "POST",
"httpParams": "{\"addLicenses\": [{\"disabledPlans\": [],\"skuId\": \"${entitlementValue.entitlementID}\"}],\"removeLicenses\": []}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
}
},
{
"name": "DirectoryRole",
"connection": "userAuth",
"url": "https://graph.microsoft.com/v1.0/directoryRoles/${entitlementValue.entitlementID}/members/\\$ref",
"httpMethod": "POST",
"httpParams": "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/${account.accountID}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204,
205
]
},
"unsuccessResponses": {
"odata~dot#error.code": [
"Request_BadRequest",
"Authentication_MissingOrMalformed",
"Request_ResourceNotFound",
"Authorization_RequestDenied",
"Authentication_Unauthorized"
]
}
} ] }

krecpond · ‎02/15/2024

Thanks @AmitM This approach worked.

rushikeshvartak · ‎02/06/2024

Use request rules

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

krecpond · ‎02/06/2024

Request rules will not work because it has to do with managing entitlements. the requirement is that when user is provisioned to the AD group by Saviynt, Saviynt will automatically populate an attribute on another SaaS target.

rushikeshvartak · ‎02/06/2024

You need to go with Actionable analytics only.

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Saviynt Forums

Update an account attribute on an endpoint based on entitlement provisioned in another endpoint