07/11/2023 02:45 AM
Hi,
I'm trying to wrap my head around the usage of end dates for entitlements in context of SAP and SAP roles.
We enabled "Ask For Start Date End Date While Request" for sap role entitlement type. If we request some SAP role, it gets correctly provisioned with a set end date. What I'm unclear about is, what happens when that end date is reached.
We observed that the SAP role stays connected to the SAP account in the target system. But it seems that the import to EIC is ignoring those entitlements with end date in the past, so it disappears from the account on EIC side. Is that observation correct?
No we have a problem with that behaviour. What we actually like to achieve is, that the SAP role is removed from the account altogether if it has expired. Is it possible to have EIC create an remove access task out of the box? I already thought about using analytics, but that won't work if the import removes those entitlements from DB.
07/13/2023 08:31 AM
@ASA If I understand your issue correctly, when you set the end date, there is no task being created to remove that access in the target. Is that correct?
07/14/2023 03:00 AM
Exactly
07/18/2023 09:27 AM
@ASA this looks like a bug. We would need logs to analyse this issue. Request you to raise a ticket in the support portal and one of our agents will look into it. Thank you.
07/20/2023 03:28 AM
Was discussed in office hours session and I did the following retest:
On the day the SAP role entitlement is expired I ran EnterpriseRoleManagementJob before the SAP import. IT is correctly creating the remove access tasks.
So the root problem is another: The SAP import is removing SAP role entitlement memberships from Saviynt, if the end date is expired. So after that EnterpriseRoleManagementJob doesn't catch them anymore.
Is there a way to avoid this or is it intended behaviour?
07/24/2023 04:14 AM
Hi @ASA
Yes, now its clear Actually after the end date Saviynt is not bringing those roles from the import. So it looks like a connector is not excluding the roles whose end date are expired.
We will have to look this as a issue, Please open a FD ticket- we can internally check and get confirmation from product team on this.
Thanks
Darshan