I'm trying to wrap my head around the usage of end dates for entitlements in context of SAP and SAP roles.
We enabled "Ask For Start Date End Date While Request" for sap role entitlement type. If we request some SAP role, it gets correctly provisioned with a set end date. What I'm unclear about is, what happens when that end date is reached.
We observed that the SAP role stays connected to the SAP account in the target system. But it seems that the import to EIC is ignoring those entitlements with end date in the past, so it disappears from the account on EIC side. Is that observation correct?
No we have a problem with that behaviour. What we actually like to achieve is, that the SAP role is removed from the account altogether if it has expired. Is it possible to have EIC create an remove access task out of the box? I already thought about using analytics, but that won't work if the import removes those entitlements from DB.
Was discussed in office hours session and I did the following retest:
On the day the SAP role entitlement is expired I ran EnterpriseRoleManagementJob before the SAP import. IT is correctly creating the remove access tasks.
So the root problem is another: The SAP import is removing SAP role entitlement memberships from Saviynt, if the end date is expired. So after that EnterpriseRoleManagementJob doesn't catch them anymore.
Is there a way to avoid this or is it intended behaviour?
Yes, now its clear Actually after the end date Saviynt is not bringing those roles from the import. So it looks like a connector is not excluding the roles whose end date are expired.
We will have to look this as a issue, Please open a FD ticket- we can internally check and get confirmation from product team on this.