Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Workflow check if User has entitlement A, Only then approve entitlement B request, Else reject.

yogendragautam
New Contributor II
New Contributor II

Hi,

 

We have a requirement where we have to approve/reject a request for an entitlement based on the existing entitlements the users account has.

 

If user has entitlement A of Account A, only then grant access to the requested entitlement B.

 

Similarly, if user has entitlement A or B or C, then only grant access to entitlement D, else reject.

 

can somebody please tell me how to put this check in a workflow ?

 

Thanks in Advance.

24 REPLIES 24

DaanishJawed
Saviynt Employee
Saviynt Employee

Hi @yogendragautam 

We will check this and get back to you.

KevinP
New Contributor
New Contributor

I also have the same need but for a temporary role request.  i.e. If User has Entitlement A, auto-approve their role request.  There may be other ways to go about it other than entitlements but that's my first thought.

DaanishJawed
Saviynt Employee
Saviynt Employee

Hi @yogendragautam ,

Try using the groovy script in the if else blocks.

Some sample for groovy script are as below

requestedby.authorities.collect { it.authority }.contains("ROLE_ENDUSER") - To the get SAV Role for reuqested by user.

(com.saviynt.ecm.identitywarehouse.domain.Usergroup_users.executeQuery("select ugu.id from Usergroup_users ugu where ugu.user_groupkey = <usergroupkey> AND ugu.userkey= '${requestedby?.id}'")?.size() != 0) - For User Group Validation

 

Doc Reference - https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter12-Workflows/Workflow-Compon...

 

Thanks.

KevinP
New Contributor
New Contributor

Hi Daanish,

 Do you have a similar query for *entitlements* instead of groups though?  Does the Users table have a list of all the entitlements a user is assigned to?  A problem I have is I don't know *what* fields are available in the Users table because if I try to view it in Data Analyzer, I get this error:

KevinP_0-1696966952461.png

With all of the other tables I can see the data, so I know what fields I can query.

Thanks,

 Kevin

 

 

(com.saviynt.ecm.identitywarehouse.domain.Usergroup_users.executeQuery("select ev.id from entitlement_values ev ")?.size() != 0)

You can write HQL query 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

KevinP
New Contributor
New Contributor

Daanish,

So I was able to make a query utilizing SQL to return the data I am essentially trying to leverage.  But a I understand it, the Groovy workflow may not understand any of this.

SELECT u.username
FROM users u
JOIN user_accounts ua ON u.userkey = ua.userkey
JOIN accounts a ON a.accountkey = ua.accountkey
JOIN account_entitlements1 ae ON ae.accountkey = a.accountkey
JOIN entitlement_values ev ON ev.entitlement_valuekey = ae.entitlement_valuekey
JOIN endpoints e ON e.endpointKey = a.endpointKey
JOIN securitysystems ss ON ss.systemkey = e.securitysystemkey
WHERE ae.entitlement_valuekey = 7056 AND u.username= "<test username>"

I really don't know much about Groovy, so I took a stab with this and it fails miserably.  In my limited research, I'm guessing the "Users" class has a 1 to 1 mapping with the Users table...and I'd essentially have to do a join on multiple 'classes' (not tables like I'm doing below) or at least in a different format that what I have written.  Any idea if this can be done?

 

(com.saviynt.ecm.identitywarehouse.domain.Users.executeQuery("SELECT u.username
FROM users u
JOIN user_accounts ua ON u.userkey = ua.userkey
JOIN accounts a ON a.accountkey = ua.accountkey
JOIN account_entitlements1 ae ON ae.accountkey = a.accountkey
JOIN entitlement_values ev ON ev.entitlement_valuekey = ae.entitlement_valuekey
JOIN endpoints e ON e.endpointKey = a.endpointKey
JOIN securitysystems ss ON ss.systemkey = e.securitysystemkey
WHERE ae.entitlement_valuekey = 7056 AND u.username='${requestedby?.username}'")?.size() != 0)

 

 

KevinP
New Contributor
New Contributor

@rushikeshvartak @DaanishJawed 
Does anyone have some documentation on the subject?  I've tried some tinkering of various versions trying to get this to work though the whole time but always results in an error - I'm thinking I've got some syntax wrong.  I am trying both of the examples below to simply return a true statement (even before I get to the part about matching it with the user) and they both result in this error when submitting the access request.

KevinP_0-1698777997201.png


(com.saviynt.ecm.identitywarehouse.clearme-dev.Usergroup_users.executeQuery("select ev.id FROM entitlement_values ev WHERE ev.id=7506")?.size() != 0)

Or this...

(com.saviynt.ecm.identitywarehouse.clearme-dev.Usergroup_users.executeQuery("select entitlement_valuekey from entitlement_values ev WHERE ev.entitlement_valuekey=7056")?.size() != 0)

 

You can see from the below query that it exists:

KevinP_1-1698778098892.png

 

(com.saviynt.ecm.identitywarehouse.saviynt.Usergroup_users.executeQuery("select entitlement_valuekey from entitlement_values ev WHERE ev.entitlement_valuekey=7056")?.size() != 0)

com.saviynt.ecm.identitywarehouse.saviynt.Usergroup_users class is saviynt class not customer specific


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

KevinP
New Contributor
New Contributor

@rushikeshvartak Oh sorry yes that was another version I tried but left it in there last time.  This statement also results in the error.

(com.saviynt.ecm.identitywarehouse.saviynt.Usergroup_users.executeQuery("select entitlement_valuekey from entitlement_values ev WHERE ev.entitlement_valuekey=7056")?.size() != 0)

Am I doing something wrong here?

KevinP_0-1698845117744.png

 

 

 

Hi @KevinP ,

We are working on this. Will keep you posted.

Thanks

(com.saviynt.ecm.identitywarehouse.saviynt.Usergroup_users.executeQuery("select id from entitlement_values ev WHERE ev.id=7056")?.size() != 0)

This are HQL hence primary key should id


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

KevinP
New Contributor
New Contributor

@rushikeshvartak Nope that doesn't work either, still results in the big red error.  As mentioned before, I've tried a bunch of different variations but the 3 most basic I've tried (and all result in same error are below).  

(com.saviynt.ecm.identitywarehouse.saviynt.Usergroup_users.executeQuery("select id from entitlement_values ev WHERE ev.id=7056")?.size() != 0)

(com.saviynt.ecm.identitywarehouse.saviynt.Usergroup_users.executeQuery("select ev.id from entitlement_values ev WHERE ev.id=7056")?.size() != 0)


(com.saviynt.ecm.identitywarehouse.saviynt.Usergroup_users.executeQuery("select entitlement_valuekey from entitlement_values ev WHERE ev.entitlement_valuekey=7056")?.size() != 0)

I've tried little nuances, single quotes vs. double quotes, suggested changes from ChatGPT, etc. 

Is anyone able to test the above in an environment and confirm it works?  To be clear, I'm in our Test/Dev environment on v23.10.  Does the datawarehouse URL change for Dev environments (or is there no warehouse for Dev environments at all)?

THanks,

 Kevin

 

 

Hi @KevinP ,

I was able to make this work but it will be through Dynamic Attributes if I have understood your use-case correctly.

Use-Case: Approve/reject the request based on the entitlements the user has.

  • Navigate to Global Config and enable the below config -

Screenshot 2023-11-07 at 4.52.54 PM.png

  • Create a dynamic attribute at the endpoint level as below:

Attribute Name - Test

Request Type - Account

Attribute Type - Single Select From SQL Query

Value -

 

SELECT      u.username AS 'ID' FROM     users u         JOIN     user_accounts ua ON u.userkey = ua.userkey         JOIN     accounts a ON a.accountkey = ua.accountkey         JOIN     account_entitlements1 ae ON ae.accountkey = a.accountkey         JOIN     entitlement_values ev ON ev.entitlement_valuekey = ae.entitlement_valuekey         JOIN     endpoints e ON e.endpointKey = a.endpointKey         JOIN     securitysystems ss ON ss.systemkey = e.securitysystemkey WHERE     ae.entitlement_valuekey = 167066         AND u.userkey = ${requestee};

 

Default Value -

 

SELECT      u.username AS 'ID' FROM     users u         JOIN     user_accounts ua ON u.userkey = ua.userkey         JOIN     accounts a ON a.accountkey = ua.accountkey         JOIN     account_entitlements1 ae ON ae.accountkey = a.accountkey         JOIN     entitlement_values ev ON ev.entitlement_valuekey = ae.entitlement_valuekey         JOIN     endpoints e ON e.endpointKey = a.endpointKey         JOIN     securitysystems ss ON ss.systemkey = e.securitysystemkey WHERE     ae.entitlement_valuekey = 167066         AND u.userkey = ${requestee};

 

Please update the entitlement value key that you are using in the above query.

${requestee} - is the user for which we are submitting the request.

Please check the below boxes as shown in the screenshot.

Screenshot 2023-11-07 at 4.55.23 PM.png

  • Create a workflow as below of the Type Parallel.

Screenshot 2023-11-07 at 4.59.40 PM.png

  • Syntax used above in if-else call -

 

dynamicAttributes.get('Forum1') ne null​

 

  • Forum1 is the dynamic attribute that we are calling. If the result of Forum1 results in null(Based on the query used), then the request will be rejected otherwise it will be approved.
  • Please allow sometime for the changes to take place before you submit the request to test your use case.

Let me know if this works for your use-case.

Thanks.

OK I'll take a look at this today.  Thanks!

 

@DaanishJawed 

Unfortunately this resulted in an error too.  I am uploading screenshots of the config for your reference.  Also there are some logs in the log viewer if I search for 'rolerequestfinalstep' which is the page where the error is displayed.  Of course if I click "Error Detail" in the upper right, it doesn't do anything.

To be clear, I was supposed to leave ${requestee} the way it was, right?

[This message has been edited by moderator to mask email from an image]

Also here is the log (had a max attachment # in last post).

@KevinP 

Did you update the testing workflow at the security system level before submitting the request?

@DaanishJawed 

I am using this for a Temporary Access/Firefighter role workflow, so it is updated in Global Config -> Roles.  Since it's not a traditional access/entitlement, I don't believe there is anything to update in Security System right? 

KevinP_1-1699553914594.png

 

 

KevinP
New Contributor
New Contributor

@DaanishJawed 

DId you see my last update? Does that make sense given that it's a workflow for Firefighter roles?

@KevinPYes I did check. I have created a ticket below under FreshService to go over this. Please track the below ticket -

https://saviyntinc.freshservice.com/a/tickets/2008464?current_tab=details

what is error in logs


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

As for error logs - absolutely nothing tangible that I can see when searching for the user requesting access (kevin.user).   This is from Log Viewer under Admin.  No errors, no mention of the workflow, etc.

 

KevinP_0-1699452020704.png

 

rushikeshvartak
All-Star
All-Star

Use dynamic attribute and fetch in workflow and perform required logic


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

I am also having the same scenario for Emergency/Firefighter access. When the user belongs to entitlement A, role request needs to be auto approved else rejected. Please can you let me know if there is any update to this case.