Click HERE to see how Saviynt Intelligence is transforming the industry. |
03/23/2023 02:37 AM
Hi Team,
Workflow should allow the privilege access request for auto approval if the user is from particular usergroup, else request should go for one level manager approval.
Tried below query, but it is giving error as the list contains multiple users from usergroup . Please suggest the right approach.
${ARSREQUEST.REQUESTOR}= select users.username from users where users.username is not null and users.userkey in (select userkey from usergroup_users where USER_GROUPKEY='2'
Thanks,
Manju
03/24/2023 05:42 PM
Use below condition in if/else block with groovy as expression language if outcome of this block is true then requestor is member of user group otherwise not
(com.saviynt.ecm.identitywarehouse.domain.Usergroup_users.executeQuery("select ugu.id from Usergroup_users ugu where ugu.usergroupkey.id = 2 and ugu.userkey.id= requestedby?.id ")?.size() != 0)
03/28/2023 05:49 AM
Hi Saathvik,
Tried the above suggested query. Request ID is not getting generated. With "e entry in condition, workflow approval is not successful
Regards,
Manjunatha V
03/28/2023 06:54 AM
03/28/2023 08:22 AM
Hi Saathvik, Here comes the log entries related to request.
03/30/2023 06:50 PM - edited 03/30/2023 06:50 PM
Try below I don't in your screenshot " are added in subquery so please try below
(com.saviynt.ecm.identitywarehouse.domain.Usergroup_users.executeQuery("select ugu.id from Usergroup_users ugu where ugu.usergroupkey.id = 2 and ugu.userkey.id= requestedby?.id")?.size() != 0)
03/31/2023 07:53 AM
Hi Saathvik,
As implementation partner we do not have access to catapult. ECM related detailed errors are not coming up in logviewer. For endusers, is there any option to change the debug level from application frontend to get detailed errors.
Managed to fetch logs from catapult ECM logs.
Looks like system is not accepting "and" condition in subquery.
2023-03-31 14:16:46,705 [http-nio-8080-exec-92] ERROR services.WorkflowService - Exception in workflow service
org.jbpm.api.JbpmException: script evaluation error: javax.script.ScriptException: org.springframework.orm.hibernate3.HibernateQueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]; nested exception is org.hibernate.QueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]
at org.jbpm.pvm.internal.script.ScriptManager.evaluate(ScriptManager.java:127)
at org.jbpm.pvm.internal.script.ScriptManager.evaluate(ScriptManager.java:115)
at org.jbpm.pvm.internal.script.ScriptManager.evaluateExpression(ScriptManager.java:87)
at org.jbpm.pvm.internal.el.ScriptExpression.evaluateInScope(ScriptExpression.java:48)
at org.jbpm.pvm.internal.el.Expression.evaluate(Expression.java:108)
at org.jbpm.pvm.internal.model.ExpressionCondition.evaluate(ExpressionCondition.java:41)
at org.jbpm.jpdl.internal.activity.DecisionConditionActivity.findTransitionUsingConditions(DecisionConditionActivity.java:62)
at org.jbpm.jpdl.internal.activity.DecisionConditionActivity.execute(DecisionConditionActivity.java:47)
at org.jbpm.jpdl.internal.activity.DecisionConditionActivity.execute(DecisionConditionActivity.java:43)
at org.jbpm.pvm.internal.model.op.ExecuteActivity.perform(ExecuteActivity.java:60)
at org.jbpm.pvm.internal.model.ExecutionImpl.performAtomicOperationSync(ExecutionImpl.java:672)
at org.jbpm.pvm.internal.model.ExecutionImpl.fire(ExecutionImpl.java:582)
at org.jbpm.pvm.internal.model.ExecutionImpl.take(ExecutionImpl.java:487)
at org.jbpm.jpdl.internal.activity.ForEachActivity.execute(ForEachActivity.java:123)
at org.jbpm.jpdl.internal.activity.ForEachActivity.execute(ForEachActivity.java:53)
at org.jbpm.pvm.internal.model.op.ExecuteActivity.perform(ExecuteActivity.java:60)
at org.jbpm.pvm.internal.model.ExecutionImpl.performAtomicOperationSync(ExecutionImpl.java:672)
at org.jbpm.pvm.internal.model.ExecutionImpl.performAtomicOperation(ExecutionImpl.java:632)
at org.jbpm.pvm.internal.model.ExecutionImpl.start(ExecutionImpl.java:217)
at org.jbpm.pvm.internal.cmd.StartProcessInstanceInLatestCmd.execute(StartProcessInstanceInLatestCmd.java:63)
at org.jbpm.pvm.internal.cmd.StartProcessInstanceInLatestCmd.execute(StartProcessInstanceInLatestCmd.java:36)
at org.jbpm.pvm.internal.svc.DefaultCommandService.execute(DefaultCommandService.java:42)
at org.jbpm.pvm.internal.tx.SpringCommandCallback.doInTransaction(SpringCommandCallback.java:45)
at org.jbpm.pvm.internal.tx.SpringTransactionInterceptor.execute(SpringTransactionInterceptor.java:49)
at org.jbpm.pvm.internal.svc.EnvironmentInterceptor.executeInNewEnvironment(EnvironmentInterceptor.java:53)
at org.jbpm.pvm.internal.svc.EnvironmentInterceptor.execute(EnvironmentInterceptor.java:40)
at org.jbpm.pvm.internal.svc.RetryInterceptor.execute(RetryInterceptor.java:56)
at org.jbpm.pvm.internal.svc.ExecutionServiceImpl.startProcessInstanceByKey(ExecutionServiceImpl.java:71)
at com.saviynt.ecm.services.WorkflowService.workflowaccessreqStart(WorkflowService.groovy:1057)
at com.saviynt.ws.JbpmapiService.workflowaccessreqStartMS(JbpmapiService.groovy:64)
at com.saviynt.ecm.ws.JbpmapiController$_closure4.doCall(JbpmapiController.groovy:83)
at grails.plugin.springsecurity.rest.RestTokenValidationFilter.processFilterChain(RestTokenValidationFilter.groovy:118)
at grails.plugin.springsecurity.rest.RestTokenValidationFilter.doFilter(RestTokenValidationFilter.groovy:84)
at grails.plugin.springsecurity.web.filter.GrailsAnonymousAuthenticationFilter.doFilter(GrailsAnonymousAuthenticationFilter.java:53)
at com.saviynt.webservice.SaviyntRestAuthenticationFilter.doFilter(SaviyntRestAuthenticationFilter.groovy:133)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.java:62)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.java:59)
at com.mrhaki.grails.plugin.xframeoptions.web.XFrameOptionsFilter.doFilterInternal(XFrameOptionsFilter.java:69)
at com.brandseye.cors.CorsFilter.doFilter(CorsFilter.java:82)
at java.lang.Thread.run(Thread.java:750)
Caused by: javax.script.ScriptException: javax.script.ScriptException: org.springframework.orm.hibernate3.HibernateQueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]; nested exception is org.hibernate.QueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]
at org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:152)
at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:264)
at org.jbpm.pvm.internal.script.ScriptManager.evaluate(ScriptManager.java:123)
... 39 more
Caused by: javax.script.ScriptException: org.springframework.orm.hibernate3.HibernateQueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]; nested exception is org.hibernate.QueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]
at org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:349)
at org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:146)
... 41 more
Caused by: org.springframework.orm.hibernate3.HibernateQueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]; nested exception is org.hibernate.QueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]
at Script11.run(Script11.groovy:1)
at org.codehaus.groovy.jsr223.GroovyScriptEngineImpl.eval(GroovyScriptEngineImpl.java:346)
... 42 more
Caused by: org.hibernate.QueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]
... 44 more
2023-03-31 14:16:46,706 [http-nio-8080-exec-92] DEBUG println.PrintlnToLogger - Println :: [1;31m| Error [22;39morg.jbpm.api.JbpmException: script evaluation error: javax.script.ScriptException: org.springframework.orm.hibernate3.HibernateQueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id]; nested exception is org.hibernate.QueryException: unexpected char: '&' [select ugu.id from com.saviynt.ecm.identitywarehouse.domain.Usergroup_users ugu where ugu.usergroupkey.id = 2 && ugu.userkey.id= requestedby?.id][m
Thanks,
Manju
04/06/2023 06:00 PM
Our client has a similar requirement, is it working ?
04/28/2023 05:22 AM
Please share the solution if found.
06/15/2023 03:02 AM
please use the below query format
(com.saviynt.ecm.identitywarehouse.domain.Usergroup_users.executeQuery("select ugu.id from Usergroup_users ugu where ugu.user_groupkey = 2 AND ugu.userkey= '${requestedby?.id}'")?.size() != 0)
06/15/2023 02:17 PM
@naveenss Thank you for the query. I have validated this in the latest version 23.6 and it is working well. Just one thing to note is that we have to make sure the expression language is selected as groovy in the workflow for this condition. Else workflow evaluation will fail.
@Manju @suresh_ravuri please make a note of that
Thanks,
Nagesh K
06/20/2023 10:35 AM
Thank you @NageshK for your response.
We are in a plan to implement manager approval workflow for JIT access request, How can we implement this manager workflow for a specific access method ?
07/07/2023 09:44 AM
Hi @NageshK
Is it possible to enable manager's approval workflow only for JIT requests ?
07/07/2023 12:51 PM
@suresh_ravuri : Can you please elaborate the requirement like what type of target/endpoint? Because we are able to check the JIT account condition for different purpose for that we are able to build a logic wanted to check if that will fit for your requirement
Also other JIT Do you have credential and credentialless accounts on same endpoint?
07/10/2023 09:18 PM
We are planning to configure JIT account access method for Windows, Unix and MSSQL endpoints.
Users are configured with credentials and credential-less access methods on the same endpoint
Use-case: For any user who attempts to create a JIT account request to Windows/Unix/MSSQL endpoints, it should trigger the manager's approval workflow and for other access methods, it should be auto-approval
07/11/2023 07:16 AM
@suresh_ravuri : Thanks for providing more information. Since you have credential-less accounts as well along with JIT, It would be tricky to differentiate those two type of requests. Can you share the sample output for below three queries for both JIT type request and credential-less request
1. select * from ars_requests where jbpmprocessinstanceid like '%<request_number>%';
2. select * from request_access where requestkey in (select requestkey from ars_requests where jbpmprocessinstanceid like '%<request_number>%');
3. select * from request_access_attrs where request_access_key in (select request_accesskey from request_access where requestkey in (select requestkey from ars_requests where jbpmprocessinstanceid like '%<request_number>%'));
07/11/2023 08:06 AM
@suresh_ravuri @Saathvik the only difference between JIT and non-JIT is the account config in accounts object. Here is the workflow I tried in 23.7 and it worked. It should work in older versions too. Please try and let me know if it worked.