Saviynt Forums

Dhruv_S · ‎04/23/2024

Use Case

The requirement is to trigger the birthright technical rule for existing users without using the detective job.

For an existing user, birthright technical rules can be invoked by either detective job or through re-run technical rules as an action in user update rules. Detective job may take more time and resources as it will scan the whole DB table and can impact performance, so it is recommended to be used only when needed. Alternative approach to trigger birthright rule is by using user update rule. The user update rule can be triggered by changing some custom property value on the users with trigger condition of update through UI or user is updated via import.

In this approach we will create the user update rule with a trigger condition -User is updated from import. We be updating the user’s custom property (customproperty25) with the help of user import job via SAV4SAV REST connection. It will trigger the user update rule and technical rules will re-run as a part of the user update rule action.

Pre-requisites

Saviynt4Saviynt REST connection is needed to be setup to achieve the use case. Please refer to the REST Connector guide to understand more about how to setup a REST Connection.

REST Connector developer's handbook: Developers Handbook (saviyntcloud.com)

Applicable Version(s)

This is applicable to all versions of EIC.

Solution

Below are the high-level steps to achieve this use case.

Identify the list of users for which we want to run the birthright rule for existing users.
Create a SAV4SAV REST connection. In the ImportuserJSON, mention the userquery to filter the users for whom we want to run the technical rule. (Refer the JSON mentioned below for more details).
Create a user update rule with condition to update some custom property value and action as ‘Re-run selected technical rule’.
Create a birthright technical rule with required account/access provisioning actions.

As a sample, we have a user with requirement of provisioning an account and access to the target system. The number of users can be anything. As an example, we are taking one user here.

There is a user with username TestUser_U1.

Technical Rule – Birthright+ Remove if birthright fails. (Detective Not selected)

User update rule

Trigger condition – Trigger when user is updated from import

Sav4Sav Connection

Create a Sav4Sav connection and use the importuser JSON like below.

ImportUserJSON

In this JSON, we are trying to update the value of customproperty25 with the value of location.

{

"connection": "userAuth",

"url": "https://XYZ.saviyntcloud.com/ECM/api/v5/getUser",

"httpMethod": "POST",

"httpHeaders": {

"Authorization": "${access_token}",

"contentType": "application/json"

},

"httpParams": "{\"userQuery\":\"username like 'TestUser_U1' \"}",

"httpContentType": "application/json",

"colsToPropsMap": {

"username": "username~#~char",

"locationdesc": "locationdesc~#~char",

"street": "street~#~char",

"city": "city~#~char",

"state": "state~#~char",

"country": "country~#~char",

"customproperty25": "location~#~char"

},

"userResponsePath": "userdetails",

"pagination": {

"offset": {

"offsetParam": "offset",

"batchParam": "max",

"batchSize": 10000,

"totalCountPath": "completeResponseMap.total"

}

Run the userimport job with connection as sav4sav and below checkboxes should be selected.

Checkrules
Zero day provisioning

Run the userimportjob and wait till the Job shows success message.

We can see that the Custom property 25 is updated, and rules are triggered.

Corresponding new account and add access tasks are created as per the actions defined in birthright technical rule.

In this way, we are able to trigger the birthright technical rule for an existing user without making use of detective job.

References

Developers Handbook (saviyntcloud.com)

https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter05-Policies/Updating-User-Up...