and more in a single search tool across platforms. Read the announcement here. |
10/02/2023 07:27 AM
Hello,
We are using the Workday 2.0 connector to reconcile Workday accounts and the access (security groups) assigned to these accounts. We have been able to successfully reconcile the accounts from Workday into Saviynt using the SOAP import type.
We have also been able to reconcile the Security Groups within Workday using the RaaS integration and the report "SAV_SecurityGroups".
We are, however, seeing that the security groups to account mapping defined in the report "SAV_AccountsToSecurityGroups" is not working as expected per the connector documentation. We are not seeing any groups assigned to any accounts.
We have confirmed that the service account in use is able to access the reports from Workday and we can successfully pull those reports through PostMan and our browser.
Why are the groups not being correlated to accounts? Is there a sanitized sample of the "SAV_SecurityGroups", "SAV_AccountsToSecurityGroups", and "SAV_SecurityGroupsAccounts" reports that can be shared to validate the report from Workday is configured as expected?
Below are our configurations.
Thank you in advance!
ACCESS_IMPORT_LIST:
Security Group
RAAS_MAPPING_JSON:
{
"reportUrlMapping": [
{
"accessType": "Security Group",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroups?format=xml",
"mappingUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_AccountsToSecurityGroups?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroupsAccounts?format=xml",
"enable_chunked_retrieval": 0,
"locationHierarchyUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_LocationHierarchies",
"locationHierarchies": [],
"countryReportUrl": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/Country_Summary",
"countryCodes": []
}
]
}
10/03/2023 11:20 AM
can you try with the below JSON
{
"accessType": "Security Group",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroups?format=xml",
"mappingUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_WorkersToSecurityGroups?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroupsWorkers?format=xml",
"enable_chunked_retrieval" : 1,
"locationHierarchyUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_LocationHierarchies",
"locationHierarchies": [],
"countryReportUrl": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/Country_Summary",
"countryCodes": [""]
}
10/03/2023 05:09 PM
Hi Sahil,
I tried using the above JSON but received errors because the SAV_WorkersToSecurityGroups, SAV_SecurityGroupsWorkers, SAV_LocationHierarchies reports do not exist. We received the following error: 400 : Validation error occurred. Report not found=urn:com.workday.report/<Removed for privacy, report owner>/SAV_WorkersToSecurityGroups
Additionally, I received the following error when using the countryReportUrl given: 400 : Invalid URL path
In the following forum post, another RaaS JSON is provided says to use the SAV_AccountsToSecurityGroups and SAV_SecurityGroupsWorkers reports: https://forums.saviynt.com/t5/identity-governance/workday-entitlement-management/m-p/11167
Can you please share which reports should be configured to allow us to reconcile Workday accounts and their access? The connector documentation does not clearly state this information.
Additionally, can you please share a sample report for SAV_AccountsToSecurityGroups and SAV_SecurityGroupsWorkers so that we can validate the format of the report is as expected by the connector?
Thank you!
10/10/2023 05:40 PM
Hi @SB ,
We have configured additional entitlement types to the in the RAAS_MAPPING_JSON and it appears that entitlements are now correlating to accounts. We are, however, now getting a null pointer exception when all the entitlement types are given in the ACCESS_IMPORT_LIST.
The error message we are getting is: java.lang.NullPointerException: Cannot get property 'wd:Descriptor' on null object
I have validated that all the reports are correctly configured as I can pull them through PostMan. We''ve also been able to debug it down to the "Business Process Security Policy" entitlement type as the import is successful if we exclude this entitlement type from the ACCESS_IMPORT_LIST.
Please find below our current configurations and snippet from the logs.
ACCESS_IMPORT_LIST
Security Group,Tasks And Reports,Organizational Role,Business Process Security Policy,Domain Security Policy
RAAS_MAPPING_JSON
{
"reportUrlMapping": [
{
"accessType": "User",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_Users?format=xml"
},
{
"accessType": "Account",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_Accounts?format=xml"
},
{
"accessType": "Security Group",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroups?format=xml",
"mappingUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_AccountsToSecurityGroups?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_SecurityGroupsAccounts?format=xml",
"enable_chunked_retrieval" : 0,
"locationHierarchyUrl": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_LocationHierarchies",
"locationHierarchies": [],
"countryReportUrl": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/Country_Summary",
"countryCodes": []
},
{
"accessType": "Domain Security Policy",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_DomainSecurityPermissions?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_Domains?format=xml&Include_Changes_to_Security_Groups=0"
},
{
"accessType": "Business Process Security Policy",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcessPermissions?format=xml",
"inc_url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcesses?format=xml&Include_Changes_to_Security_Groups=0"
},
{
"accessType": "Organizational Role",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_OrgRolesAccounts?format=xml"
},
{
"accessType": "Tasks And Reports",
"url": "${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_ReportsTasksGetPut?Inactive=0,${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_ReportsTasksViewModify?Inactive=0"
},
{
"accessType": "Organization"
}
],
"auditReportUrlMapping": [
{
"reportName": "userActivity",
"url": "${BASE_URL}/ccx/service/systemreport2/${TENANT_NAME}/View_User_Activity?format=xml",
"importDateStep": "6",
"indexName": "audit",
"auditDateStart": "${CURRENT_TIMESTAMP_MINUS_24HRS}",
"ImportMapping": {
"fileCreateTime": "wd:Request_Time",
"sourceTranslatedAddress": "wd:IP_Address",
"requestClientApplication": "wd:User_Agent",
"suser": "wd:System_Account.wd:Descriptor",
"filePath": "wd:Task",
"filePermission": "wd:Activity_Category",
"duser": "wd:Target.wd:Descriptor",
"duid": "wd:Target.wd:ID[1].wd:type"
}
}
]
}
Log Snippet:
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682719341Z stdout F 2023-10-10 22:53:30,682 [quartzScheduler_Worker-8] DEBUG workday.WorkdayAccessImportService - Exception in Business-ProcessPermissions "
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682753542Z stdout F java.lang.NullPointerException: Cannot get property 'wd:Descriptor' on null object"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682759942Z stdout F at com.saviynt.provisoning.workday.WorkdayAccessImportService$_processBusinessProcessPermissions_closure8.doCall(WorkdayAccessImportService.groovy:1295)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682763342Z stdout F at com.saviynt.provisoning.workday.WorkdayAccessImportService.processBusinessProcessPermissions(WorkdayAccessImportService.groovy:1237)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682767042Z stdout F at com.saviynt.provisoning.workday.WorkdayImportService.doAccessImport(WorkdayImportService.groovy:373)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682770442Z stdout F at com.saviynt.provisoning.workday.WorkdayImportService.doImport(WorkdayImportService.groovy:81)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682773842Z stdout F at com.saviynt.ecm.integration.ExternalConnectionCallService.invokeExternalMethod(ExternalConnectionCallService.groovy:312)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682777342Z stdout F at SapImportJob.execute(SapImportJob.groovy:109)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682780442Z stdout F at org.quartz.core.JobRunShell.run(JobRunShell.java:199)"
"ecm-worker","2023-10-10T22:53:30.692+00:00","2023-10-10T22:53:30.682783642Z stdout F at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.814487444Z stderr F 10-Oct-2023 22:53:28.814 INFO [quartzScheduler_Worker-8] groovy.sql.Sql.commit Commit operation not supported when using datasets unless using withTransaction or cacheConnection - attempt to commit ignored"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.814487444Z stdout F 2023-10-10 22:53:28,814 [quartzScheduler_Worker-8] DEBUG rest.RestProvisioningService - Deletion of old Account_entitlements1 complete"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.847230043Z stdout F 2023-10-10 22:53:28,847 [quartzScheduler_Worker-8] DEBUG workday.WorkdayAccessImportService - Exit processSecurityGroupOrgEntitlements"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.869840781Z stdout F 2023-10-10 22:53:28,869 [quartzScheduler_Worker-8] DEBUG workday.WorkdayImportService - Time Taken to process Organizational Role : 438.751"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870040982Z stdout F 2023-10-10 22:53:28,869 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Entered findRaasMappingObject"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870171383Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Exit findRaasMappingObject"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870394085Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Entered insertMappingsfromUI"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870408085Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Exit insertMappingsfromUI"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.870875588Z stdout F 2023-10-10 22:53:28,870 [quartzScheduler_Worker-8] DEBUG workday.WorkdayImportService - Found mapping for Business Process Security Policy :[accessType:Business Process Security Policy, inc_url:${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcesses?format=xml&Include_Changes_to_Security_Groups=0, url:${BASE_URL}/ccx/service/customreport2/${TENANT_NAME}/${REPORT_OWNER}/SAV_BusinessProcessPermissions?format=xml]"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.875871918Z stdout F 2023-10-10 22:53:28,875 [quartzScheduler_Worker-8] DEBUG services.ImportUtilityService - EntitlementType 'Business-Process-Permissions' for Endpoint 'Workday_Prov' found with EntitlementTypekey - 143"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.875904618Z stdout F 2023-10-10 22:53:28,875 [quartzScheduler_Worker-8] DEBUG workday.WorkdayAccessImportService - Start processBusinessProcessPermissions"
"ecm-worker","2023-10-10T22:53:29.690+00:00","2023-10-10T22:53:28.875947218Z stdout F 2023-10-10 22:53:28,875 [quartzScheduler_Worker-8] DEBUG workday.WorkdayCommonUtilityService - Entered findToken"
10/13/2023 12:07 PM
Is this url for Business Process Security Policy working form SOAP UI. Can you check if you are getting the response.
10/15/2023 03:52 PM
Hi @SB , yes we are able to pull this report from Postman and SOAP UI without issues.
10/17/2023 09:26 AM
This is OOB config so I am not sure why it would fail if you are also getting the response from SOAP UI. Can you share the response screenshot of 1 data set from SOAP UI.
10/17/2023 11:26 AM - edited 10/17/2023 11:27 AM
Hi @SB
Please find attached a redacted screenshot of one of the report entry's. This report was created based on the Workday connector documentation.
Thank you,
Jack
10/19/2023 08:20 AM
Hi @SB , any updates with the above information?
10/19/2023 08:25 AM
It looks like the issue is with the path defined for wd:Descriptor. Can you check the response of the other entitlement type and see if its the same path or different one.
10/19/2023 08:35 AM - edited 10/19/2023 08:36 AM
Hi @SB Please find attached a screenshot of report entries from other reports. They all appear to match the format as the Business Process Permissions and the connector documentation. They are not having issues.
Do you have a set of sample reports which can be shared? We have validated that the reports match the format required in the connector docs and validation docs.
Is this an issue with the connector? Since this is OOTB connector we do not have the ability to modify these mappings.
Thank you,
10/19/2023 09:33 AM
The response does look the same. I would suggest creating a ticket with Support team for further troubleshooting.