Saviynt Forums

Kaushik · ‎12/13/2023

One of the types of Revoke task that can be configured during creation of a campaign is "Create Remove Account Task For Base Account". The document mentions that "Use this setting to create a revoke task for the base account and all its associated entitlements, even if it has been excluded from the campaign."

1) Under which scenario should we configure this revoke task since the account is not getting certified under the campaign ? Please illustrate with use cases.

2) When would this revoke task get triggered - is it on certification locking or on campaign expiry ?

3) Can the Base Account belong to an End Point which is not part of the campaign ?

Please clarify my doubts on this particular type of Revoke task.

SumathiSomala · ‎12/14/2023

@Kaushik

Refer the below forum thread

https://forums.saviynt.com/t5/identity-governance/campaign-revoke-task/m-p/54296

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

Kaushik · ‎12/14/2023

Thanks for sharing the link but it does not answer my 3 specific questions on this particular type of Revoke task. I have successfully tested 4 types of Revoke tasks but do not understand the business case for this 5th type of Revoke task.

DixshantValecha · ‎12/15/2023

Hi @Kaushik,

We are checking on your request and we will keep you posted.

Kaushik · ‎01/08/2024

Awaiting a response on this.

DixshantValecha · ‎01/23/2024

Hi @Kaushik,

1) Under which scenario should we configure this revoke task since the account is not getting certified under the campaign ? Please illustrate with use cases.

Scenario:-In instances where only one entitlement is associated with the base account, and other associated entitlements are absent, the task for the base account will not be generated.
Additionally, if the base account is missing or even one or more associated entitlements are excluded, the creation of a revoke task for the base account is contingent upon the status of the "Create Remove Account Task For Base Account" switch(Task will only get created if switch is ticked/activated).

2) When would this revoke task get triggered - is it on certification locking or on campaign expiry ?

It will work on both the cases.Trigger Conditions: The “Create Remove Account Task For Base

Account” task will be created for all accounts across the board once the campaign has been completed. Refernce forum post:-https://forums.saviynt.com/t5/identity-governance/campaign-revoke-task/m-p/54296

3) Can the Base Account belong to an End Point which is not part of the campaign ?

No, the base account cannot belong to an endpoint that is not part of the campaign. To ensure the functionality of the system, all accounts associated with an endpoint must be included in the campaign.

Please validate and if you require further clarification or wish to discuss specific use cases, please let us know.

Kaushik · ‎01/25/2024

I understand responses to (2) and (3) but do not understand (1).

I had carried out following test:

1) Created a campaign where only "Create Revoke Task for Terminated User & Revoked/Conditional Certified Acc. & Ent. on Locking" option is selected - please refer attached Certification_Revoke_Configuration screenshot.

2) The certifier revokes a base account which has zero associated entitlements - please refer attached Certifier_Action screenshot

3) As soon as certifier locks the campaign, revoke task does get created even though I have not selected "Create Remove Account Task For Base Account" option - please refer attached Certification_Pending_Task screenshot.

As per your response to (1), revoke task should not have been created in this use case.

Saviynt Forums

Queries on Create Remove Account Task For Base Account