Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

Advanced usage of EIC identity objects in Provisioning Rules Condition query.

nimitdave
Saviynt Employee
Saviynt Employee

on ‎09/06/2023 03:39 PM

Use Cases

  • We may have a requirement to provision accounts on various endpoints/applications when the user has an account on a specific application or has access to a specific Entitlement, then we can refer to tables other than users table to check the conditions and execute the rule accordingly.
  • We may need to process update account, enable account, disable account, etc. on the based-on user’s access to specific endpoint or user group, etc., then we can refer to the specific tables using advance condition in the rules.

Pre-requisites

Since the advance query in the Rules use HQL when getting evaluated, we need to make sure that the query being used in the Rule follows HQL format – which essentially means that instead of using table names, we must use class names – for example: users table would be referred Users, user_accounts would be referred as User_accounts, accounts table would be referred as Accounts, and so on

Applicable Version(s)

ALL

Solution

  1. Technical rule: Provision an account and assign a group on a specific Endpoint only if the user have account on another Endpoint
Sample Query:

a.jobcodedesc='IAM Administrator' and a.id in (select distinct us.userkey from User_accounts us, Accounts cc, Endpoints ep where us.accountkey=cc.id and cc.endpointkey =ep.id and ep.endpointname='Open DJ - LDAP')

 
nimitdave_2-1692794955958.png

    2.  User Update Rule: Send an email when the user’s location is updated and the user has an account on a specific endpoint

Sample Query:

(##a.location isupdated##) and a.id in (select distinct us.userkey from User_accounts us, Accounts cc, Endpoints ep where us.accountkey=cc.id and cc.endpointkey =ep.id and ep.endpointname='ESS Application Access')

nimitdave_3-1692795063980.png

3. User Update Rule: Send an email when the user’s location is updated and the user is member of a specific User group

Sample Query:

(##a.location isupdated##) and a.id in (select distinct uu.userkey from Usergroup_users uu, Usergroups ug where uu.user_groupkey=ug.id and ug.user_groupname='ServiceDesk Provisioning Group')

 

nimitdave_4-1692795141343.png

Notes:
  1. The primary key column in the tables is usually referred as “id” in HQL – userkey in users table is referred as id in HQL, accountkey in accounts table as id in HQL, endpointkey in endpoints is referred as id in HQL, and so on.
    In case of errors/exceptions like – “nested exception is org.hibernate.hql.ast.QuerySyntaxException: <<Table name>> is not mapped” – then the <<Table name>> or <<Class name>> being used in the query is wrong – Validate the class name in the war file
    Example - nested exception is org.hibernate.hql.ast.QuerySyntaxException: User_groups is not mapped
    User_groups is not the class name for user groups.
    Class name for user_groups is Usergroups.

  2. Please note that class names in HQL are case-sensitive and has to be exactly mentioned the way they are defined in the war file. Below are few classes that can be utilized -

        users -> Users

        accounts -> Accounts

        user_accounts -> User_accounts

        account_entitlements1 -> Account_entitlements1

        user_groups -> Usergroups

        usergroup_users -> Usergroup_users

        endpoints -> Endpoints

        entitlement_values -> Entitlement_values

        entitlement_types -> Entitlement_types

References

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter06-EIC-Configurations/Config...

0 Kudos
Version history
Last update:
‎09/06/2023 03:39 PM
Updated by:
Saviynt Employee
Copyright © 2024 Khoros, LLC