Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Workday Security Group Correlation

jboike
New Contributor
New Contributor

‎10/02/2023 07:27 AM

Hello,

We are using the Workday 2.0 connector to reconcile Workday accounts and the access (security groups) assigned to these accounts. We have been able to successfully reconcile the accounts from Workday into Saviynt using the SOAP import type.

We have also been able to reconcile the Security Groups within Workday using the RaaS integration and the report "SAV_SecurityGroups".

We are, however, seeing that the security groups to account mapping defined in the report "SAV_AccountsToSecurityGroups" is not working as expected per the connector documentation. We are not seeing any groups assigned to any accounts.

We have confirmed that the service account in use is able to access the reports from Workday and we can successfully pull those reports through PostMan and our browser.

Why are the groups not being correlated to accounts? Is there a sanitized sample of the "SAV_SecurityGroups", "SAV_AccountsToSecurityGroups", and "SAV_SecurityGroupsAccounts" reports that can be shared to validate the report from Workday is configured as expected?

Below are our configurations.

Thank you in advance!

ACCESS_IMPORT_LIST:

 

Security Group

 

RAAS_MAPPING_JSON:

 

{
    "reportUrlMapping": [
        {
            "accessType": "Security Group",
            "url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroups?format=xml",
            "mappingUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_AccountsToSecurityGroups?format=xml",
            "inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroupsAccounts?format=xml",
            "enable_chunked_retrieval": 0,
            "locationHierarchyUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_LocationHierarchies",
            "locationHierarchies": [],
            "countryReportUrl": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/Country_Summary",
            "countryCodes": []
        }
    ]
}

 

 

0 Kudos
11 REPLIES 11

SB
Saviynt Employee
Saviynt Employee

‎10/03/2023 11:20 AM

can you try with the below JSON

{
"accessType": "Security Group",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroups?format=xml",
"mappingUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_WorkersToSecurityGroups?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroupsWorkers?format=xml",
"enable_chunked_retrieval" : 1,
"locationHierarchyUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_LocationHierarchies",
"locationHierarchies": [],
"countryReportUrl": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/Country_Summary",
"countryCodes": [""]
}


Regards,
Sahil
0 Kudos

jboike
New Contributor
New Contributor
In response to SB

‎10/03/2023 05:09 PM

Hi Sahil,

I tried using the above JSON but received errors because the SAV_WorkersToSecurityGroups, SAV_SecurityGroupsWorkers, SAV_LocationHierarchies reports do not exist. We received the following error: 400 : Validation error occurred. Report not found=urn:com.workday.report/<Removed for privacy, report owner>/SAV_WorkersToSecurityGroups

Additionally, I received the following error when using the countryReportUrl given: 400 : Invalid URL path

In the following forum post, another RaaS JSON is provided says to use the SAV_AccountsToSecurityGroups and SAV_SecurityGroupsWorkers reports: https://forums.saviynt.com/t5/identity-governance/workday-entitlement-management/m-p/11167

Can you please share which reports should be configured to allow us to reconcile Workday accounts and their access? The connector documentation does not clearly state this information.

Additionally, can you please share a sample report for SAV_AccountsToSecurityGroups and SAV_SecurityGroupsWorkers so that we can validate the format of the report is as expected by the connector?

Thank you!

0 Kudos

jboike
New Contributor
New Contributor

‎10/10/2023 05:40 PM

Hi @SB ,

We have configured additional entitlement types to the in the RAAS_MAPPING_JSON and it appears that entitlements are now correlating to accounts. We are, however, now getting a null pointer exception when all the entitlement types are given in the ACCESS_IMPORT_LIST.

The error message we are getting is: java.lang.NullPointerException: Cannot get property 'wd:Descriptor' on null object

I have validated that all the reports are correctly configured as I can pull them through PostMan. We''ve also been able to debug it down to the "Business Process Security Policy" entitlement type as the import is successful if we exclude this entitlement type from the ACCESS_IMPORT_LIST.

Please find below our current configurations and snippet from the logs.

ACCESS_IMPORT_LIST

Security Group,Tasks And Reports,Organizational Role,Business Process Security Policy,Domain Security Policy

 

RAAS_MAPPING_JSON

{
"reportUrlMapping": [
{
"accessType": "User",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_Users?format=xml"
},
{
"accessType": "Account",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_Accounts?format=xml"
},
{
"accessType": "Security Group",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroups?format=xml",
"mappingUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_AccountsToSecurityGroups?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroupsAccounts?format=xml",
"enable_chunked_retrieval" : 0,
"locationHierarchyUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_LocationHierarchies",
"locationHierarchies": [],
"countryReportUrl": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/Country_Summary",
"countryCodes": []
},
{
"accessType": "Domain Security Policy",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_DomainSecurityPermissions?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_Domains?format=xml&Include_Changes_to_Security_Groups=0"
},
{
"accessType": "Business Process Security Policy",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcessPermissions?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcesses?format=xml&Include_Changes_to_Security_Groups=0"
},
{
"accessType": "Organizational Role",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_OrgRolesAccounts?format=xml"
},
{
"accessType": "Tasks And Reports",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_ReportsTasksGetPut?Inactive=0,${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_ReportsTasksViewModify?Inactive=0"
},
{
"accessType": "Organization"
}
],
"auditReportUrlMapping": [
{
"reportName": "userActivity",
"url": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/View_User_Activity?format=xml",
"importDateStep": "6",
"indexName": "audit",
"auditDateStart": "${CURRENT_TIMESTAMP_MINUS_24HRS}",
"ImportMapping": {
"fileCreateTime": "wd:Request_Time",
"sourceTranslatedAddress": "wd:IP_Address",
"requestClientApplication": "wd:User_Agent",
"suser": "wd:System_Account.wd:Descriptor",
"filePath": "wd:Task",
"filePermission": "wd:Activity_Category",
"duser": "wd:Target.wd:Descriptor",
"duid": "wd:Target.wd:ID[1].wd:type"
}
}
]
}

Log Snippet:

"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682719341Z stdout F 2023-10-10 22:53:30,682 [quartzScheduler_Worker-8] DEBUG workday.WorkdayAccessImportService - Exception in Business-ProcessPermissions "
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682753542Z stdout F java.lang.NullPointerException: Cannot get property 'wd:Descriptor' on null object"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682759942Z stdout F at com.saviynt.provisoning.workday.WorkdayAccessImportService$_processBusinessProcessPermissions_closure8.doCall(WorkdayAccessImportService.groovy:1295)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682763342Z stdout F at com.saviynt.provisoning.workday.WorkdayAccessImportService.processBusinessProcessPermissions(WorkdayAccessImportService.groovy:1237)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682767042Z stdout F at com.saviynt.provisoning.workday.WorkdayImportService.doAccessImport(WorkdayImportService.groovy:373)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682770442Z stdout F at com.saviynt.provisoning.workday.WorkdayImportService.doImport(WorkdayImportService.groovy:81)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682773842Z stdout F at com.saviynt.ecm.integration.ExternalConnectionCallService.invokeExternalMethod(ExternalConnectionCallService.groovy:312)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682777342Z stdout F at SapImportJob.execute(SapImportJob.groovy:109)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682780442Z stdout F at org.quartz.core.JobRunShell.run(JobRunShell.java:199)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682783642Z stdout F at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.814487444Z stderr F 10-Oct-2023 22:53:28.814 INFO [quartzScheduler_Worker-8] groovy.sql.Sql.commit Commit operation not supported when using datasets unless using withTransaction or cacheConnection - attempt to commit ignored"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.814487444Z stdout F 2023-10-10 22:53:28,814 [quartzScheduler_Worker-8] DEBUG rest.RestProvisioningService - Deletion of old Account_entitlements1 complete"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.847230043Z stdout F 2023-10-10 22:53:28,847 [quartzScheduler_Worker-8] DEBUG workday.WorkdayAccessImportService - Exit processSecurityGroupOrgEntitlements"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.869840781Z stdout F 2023-10-10 22:53:28,869 [quartzScheduler_Worker-8] DEBUG workday.WorkdayImportService - Time Taken to process Organizational Role : 438.751"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870040982Z stdout F 2023-10-10 22:53:28,869 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Entered findRaasMappingObject"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870171383Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Exit findRaasMappingObject"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870394085Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Entered insertMappingsfromUI"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870408085Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Exit insertMappingsfromUI"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870875588Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayImportService - Found mapping for Business Process Security Policy :[accessType:Business Process Security Policy, inc_url:${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcesses?format=xml&Include_Changes_to_Security_Groups=0, url:${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcessPermissions?format=xml]"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.875871918Z stdout F 2023-10-10 22:53:28,875 [quartzScheduler_Worker-8] DEBUG services.ImportUtilityService - EntitlementType 'Business-Process-Permissions' for Endpoint 'Workday_Prov' found with EntitlementTypekey - 143"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.875904618Z stdout F 2023-10-10 22:53:28,875 [quartzScheduler_Worker-8] DEBUG workday.WorkdayAccessImportService - Start processBusinessProcessPermissions"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.875947218Z stdout F 2023-10-10 22:53:28,875 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Entered findToken"

0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎10/13/2023 12:07 PM

Is this url for Business Process Security Policy working form SOAP UI. Can you check if you are getting the response.


Regards,
Sahil
0 Kudos

jboike
New Contributor
New Contributor
In response to SB

‎10/15/2023 03:52 PM

Hi @SB , yes we are able to pull this report from Postman and SOAP UI without issues.

0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎10/17/2023 09:26 AM

This is OOB config so I am not sure why it would fail if you are also getting the response from SOAP UI. Can you share the response screenshot of 1 data set from SOAP UI.


Regards,
Sahil
0 Kudos

jboike
New Contributor
New Contributor
In response to SB

‎10/17/2023 11:26 AM - edited ‎10/17/2023 11:27 AM

Hi @SB 

Please find attached a redacted screenshot of one of the report entry's. This report was created based on the Workday connector documentation.

Thank you,
Jack

Preview file
224 KB
0 Kudos

jboike
New Contributor
New Contributor

‎10/19/2023 08:20 AM

Hi @SB , any updates with the above information?

0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎10/19/2023 08:25 AM

It looks like the issue is with the path defined for wd:Descriptor. Can you check the response of the other entitlement type and see if its the same path or different one. 


Regards,
Sahil
0 Kudos

jboike
New Contributor
New Contributor

‎10/19/2023 08:35 AM - edited ‎10/19/2023 08:36 AM

Hi @SB  Please find attached a screenshot of report entries from other reports. They all appear to match the format as the Business Process Permissions and the connector documentation. They are not having issues.

Do you have a set of sample reports which can be shared? We have validated that the reports match the format required in the connector docs and validation docs.

Is this an issue with the connector? Since this is OOTB connector we do not have the ability to modify these mappings.

Thank you,

Preview file
121 KB
0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎10/19/2023 09:33 AM

The response does look the same. I would suggest creating a ticket with Support team for further troubleshooting. 


Regards,
Sahil
0 Kudos
Copyright © 2024 Khoros, LLC