Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Workflow attributes that can be used in Service Account Management(Modify)

sk
All-Star
All-Star

Team,

We are trying to enable Service Account Management as part of it we have below use cases.

  1. Create Service Account
    • As part of create service account we have below use cases
    • Create Service Account
    • Assign Owner(Mandatory, But can only add One Owner of Rank 1, if more than one owner is added reject the request)
    • Along with that use can also make PAM Enabled
    • Also user can add Pre-Authorized Users
  2. Modify Service Account
    • As part of Modify Service Account we have below use cases
    • Modify Service Account Owner
    • Add/Remove additional Service Account Owner (Not Rank1, Rank1 can only be one person)
    • Make service Account PAM Enabled
    • Add/Remove Pre-Authorized Users

Now for above listed create service account use cases we wanted workflow like this

If requestor is Rank 1 Owner

  • Send first level approval to Manager
  • Second level should be auto approved(Also if requestoer added more than one owner either it could be of Rank 1 or different Ranks Reject the request)

If requested by someone else

  • Send first level approval to Manager
  • Second level should be approved by Owner of service account(Also if requestoer added more than one owner either it could be of Rank 1 or different Ranks Reject the request)

Now for above listed Modify service account use cases we wanted workflow like this

If requestor is Rank 1 Owner

  • Modify Service Account Owner - Request should go to approval for new owner
  • Add/Remove additional Service Account Owner (Not Rank 1, Rank 1 can only be one person) - Auto Approve also Reject if additional owner added has Rank 1
  • Make service Account PAM Enabled - Auto Approve
  • Add/Remove Pre-Authorized Users - Auto Approve

If requested by someone else

  • Reject the request

We were successfully able to achieve create service account Workflow. But having hard time in modify service account workflow because except modify service account owner in all other cases we need to make the request auto approve if requestor is Rank 1 Owner. Meaning as part of modify request first we need to check the condition that modify request is submitted for which type of action. For that we need to get the details from request_access_attrs using below parameters

dynamicAttributesReqAccess.get(requestaccesskey).get('ISPAMPROTECTEDACC')
dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEYADDED') dynamicAttributesReqAccess.get(requestaccesskey).get('USEROWNERKEYREMOVED')

But what we noticed is that these parameter are getting populated only when request is submitted(at least one approval has to be happen to have the parameters). But in our scenario before request submission(approval) only we need to validate request is submitted for which type of action

How can we achieve this scenario, Is there any other work around we can achieve this?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
Who Me Too'd this topic