No ratings
Feral
Saviynt Employee
Saviynt Employee

Symptoms

Account removal tasks for the Application Owner Campaigns are not getting created when there are child entitlements involved.

Logs would show similar errors as below:

 

219 [quartzScheduler_Worker-7]DEBUG campaigns.CampaignService - listOfRejectedCertAccounts -[[ ACCOUNTKEY:250

227 [quartzScheduler_Worker-7]DEBUG campaigns.CampaignService -Since AccountKey-250 has more entitlements than what was part of cert not creating revoke task for it\"

 

Diagnosis

Now since this is an issue where there is a clear error in the logs, we had reached out to our engineering team to understand the behavior. We also checked the data from our end.

we checked all the data and the configurations
We are seeing only 2 entitlements when the campaign is created, but when you see the account and the associated entitlements with it, there are different child entitlements with it. Particular entitlement in this case had 630 child entitlements in it, because of that, this error in the logs is coming up as well.

Solution

Application Owner campaign doesn't include child entitlement and this is by design. This functionality is present in the User manager campaign but not in Application Owner so this will be an enhancement.

New config CREATEREVOKEBASEACCOUNTTASK which would create remove account task even when all entitlements are not part of the certification and would override the default behavior. We already have this working in User Manager Campaign. Hence, an enhancement has been created for the same EIC-I-3940 and engineering team needs to add this functionality in the Application Owner campaign for solution

Version history
Last update:
‎01/06/2023 02:07 PM
Updated by: