Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Understanding end date for SAP roles

ASA
Regular Contributor II
Regular Contributor II

‎07/11/2023 02:45 AM

Hi,

I'm trying to wrap my head around the usage of end dates for entitlements in context of SAP and SAP roles.

We enabled "Ask For Start Date End Date While Request" for sap role entitlement type. If we request some SAP role, it gets correctly provisioned with a set end date. What I'm unclear about is, what happens when that end date is reached.

We observed that the SAP role stays connected to the SAP account in the target system. But it seems that the import to EIC is ignoring those entitlements with end date in the past, so it disappears from the account on EIC side. Is that observation correct?

No we have a problem with that behaviour. What we actually like to achieve is, that the SAP role is removed from the account altogether if it has expired. Is it possible to have EIC create an remove access task out of the box? I already thought about using analytics, but that won't work if the import removes those entitlements from DB.

3 people had this problem.
0 Kudos
5 REPLIES 5

sai_sp
Saviynt Employee
Saviynt Employee

‎07/13/2023 08:31 AM

@ASA  If I understand your issue correctly, when you set the end date, there is no task being created to remove that access in the target. Is that correct?

 

0 Kudos

ASA
Regular Contributor II
Regular Contributor II
In response to sai_sp

‎07/14/2023 03:00 AM

Exactly

0 Kudos

sai_sp
Saviynt Employee
Saviynt Employee

‎07/18/2023 09:27 AM

@ASA this looks like a bug. We would need logs to analyse this issue. Request you to raise a ticket in the support portal and one of our agents will look into it. Thank you.

0 Kudos

ASA
Regular Contributor II
Regular Contributor II

‎07/20/2023 03:28 AM

Was discussed in office hours session and I did the following retest:

On the day the SAP role entitlement is expired I ran EnterpriseRoleManagementJob before the SAP import. IT is correctly creating the remove access tasks.

So the root problem is another: The SAP import is removing SAP role entitlement memberships from Saviynt, if the end date is expired. So after that EnterpriseRoleManagementJob doesn't catch them anymore.

Is there a way to avoid this or is it intended behaviour?

Darshanjain
Saviynt Employee
Saviynt Employee
In response to ASA

‎07/24/2023 04:14 AM

Hi @ASA 

Yes, now its clear Actually after the end date Saviynt is not bringing those roles from the import. So it looks like a connector is not excluding the roles whose end date are expired.

We will have to look this as  a issue, Please open a FD ticket- we can internally check and get confirmation from product team on this.

 

Thanks

Darshan

 

0 Kudos
Copyright © 2024 Khoros, LLC