Saviynt Forums

ekorh · ‎05/16/2024

Hi,

I have created an analytic report that fetches usernames per role who are not their owners but should be according to certain criteria. The analytics should be run daily and any new username in the report should be added to their corresponding role(s) as owner.

How could I achieve this automation inside Saviynt?

Can I use e.g. REST connector importuserJSON and in call1 get the data with runtime analytics and in the call2 use the data from previous call and pass them towards updateEnterpriseRoleRequest api? This way I could schedule a job to run daily to handle this.

Thanks already in advance!

rushikeshvartak · ‎05/16/2024

Yes you can use Sav4Sav connector and update role owner. Keep Report as runtime.

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ekorh · ‎05/20/2024

I have created the analytics, connector and job. When I run the job it always ends with error: Cannot invoke method containsKey() on null object.

At first I have been trying to update at least the first role record that comes when you query the runtime analytics api.

Here is the json I'm using in the importuserjson (some info deleted for security reasons):
{
"type": "multiCall",
"call": [
{
"name": "call1",
"connection": "auth",
"successResponses": {
"statusCode": [
200,
201,
202,
203,
204,
205
]
},
"url": "",
"httpParams": "{\"analyticsid\": \"\"}",
"httpMethod": "POST",
"httpHeaders": {
"Authorization": "${access_token}"
},
"userResponsePath": "result",
"colsToPropsMap": {
"username": "USERNAME~#~char"
},
"httpContentType": "application/json",
"pagination": {
"offset": {
"offsetParam": "offset",
"batchParam": "displaycount",
"batchSize": 50,
"totalCountPath": "completeResponseMap.total"
}
}
},
{
"name": "call2",
"connection": "auth",
"url": "",
"httpMethod": "POST",
"httpParams": "{\"role_name\":\"${response.call1.message.result[0].rolename}\",\"roletype\":\"APPLICATION\",\"owner\":[{\"ownerName\":\"${response.call1.message.result[0].ownerfirstname + '.' + response.call1.message.result[0].ownerlastname}\",\"updateType\":\"ADD\",\"rank\":\"1\"}]}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": {
"message": "User Updated Successfully",
"statusCode": [
200,
201
]
},
"unsuccessResponses": {
"statusCode": [
500,
403,
409,
412
]
}
}
]
}

The funny thing is, with the same httpParams in call2, I have been able to update role owners using the first record in the analytics if I put this to UpdateUserJson in the same REST connector.
However, for us it would be more convenient if we could trigger the role owner update in the importUserJSON since then we could schedule a job to take care of this.

rushikeshvartak · ‎05/20/2024

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .

‼️‼️⚠️Do not upload any attachments that contain sensitive information, such as IP Addresses, URLs, Company/Employee Names, Email Addresses, etc.⚠️‼️‼️

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ekorh · ‎05/21/2024

Hi,

Here are few screenshots of the logs.

Job log:

Log entries related to the error on job log (calling call2 in json?):

logs2

Log entries related to the job log (calling call1 in json?):

logs1

I have checked everything and the user in the connectionJSON has all necessary accesses in the SAV Role, and like I mentioned in the first message when I replicate this scenario with UpdateUserJSON there is no issue at all.

Thanks already again!

rushikeshvartak · ‎05/21/2024

Does it works from postman

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ekorh · ‎05/22/2024

Hi,

Yes, login, fetching runtime analytics content and provisioning towards updateenterpriserole API all work ok from Postman.

rushikeshvartak · ‎05/22/2024

Please provide screenshot

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ekorh · ‎05/27/2024

Hi, Here are screenshots of Postman test calls.

I've been going through logs and it seems to me now that the importUserJSON is unable to parse the groovy code in this section:
"httpParams": "{\"role_name\":\"${response.call1.message.result[0].rolename}\",\"roletype\":\"APPLICATION\",\"owner\":[{\"ownerName\":\"${response.call1.message.result[0].ownerfirstname + '.' + response.call1.message.result[0].ownerlastname}\",\"updateType\":\"ADD\",\"rank\":\"1\"}]}",

Which is weird since this exact same structure provides successful results in UpdateUserJSON.

rushikeshvartak · ‎05/28/2024

Can you share logs in file with showlogs=true to see results of API from Import JSON

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ekorh · ‎05/29/2024

Hi,

Due to security reasons I can't share log files here. It would be too much data to go through and anonymize before I could upload the file here.

But following can be seen in logs:
Inside updateEnterpriseRoleRequest Webservice
Params are [controller:restfulv5, action:updateEnterpriseRoleRequest, role_name:${response.call1.message.result[0].rolename}, owner:[[ownerName:${response.call1.message.result[0].username}, rank:1, updateType:ADD]], roletype:APPLICATION, requestor:omitted, max:50]
Role not found..

When actually, the role does exist since it is fetched to the analytics from saviynt by saviynt.

rushikeshvartak · ‎05/29/2024

add callorder and try

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ekorh · ‎05/30/2024

Hi,

Still same result with callorder.

ekorh · ‎06/12/2024

Hi,

In the end I opted out of the initial way proposed in this conversation and did the following instead:

All roles are imported to the Sav4Sav endpoint as entitlements
Actionable analytics fetches role details and matches them with correct owner and add access task is triggered for the sav4sav endpoint
In the sav4sav connector add access JSON then it is configured to add the user as the owner of the role

Notes: If you are using the default getRoles API some customization is needed to execute pagination sucessfully if the environment has over 500 roles (https://forums.saviynt.com/t5/identity-governance/v5-getroles-api-pagination/td-p/99103 )

rushikeshvartak · ‎06/12/2024

Can you share actual configs

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

Saviynt Forums

Updating role owners with analytics