We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

AD Object reassignment upon user termination for Service Account

ruchika
New Contributor
New Contributor

For a security Group or Service Account is there a way to be able to automatically route the ownership to the reporting manager of the user who is no longer with the company.

Is it be possible to leverage Saviynt such that when Saviynt receives the termination date for an employee, it proactively sends a trigger to SN to initiate the process?

1 REPLY 1

AmitM
Regular Contributor III
Regular Contributor III

Hi @ruchika , Saviynt has some oob solution for transferring ownership for terminations.

Document to refer:

https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter05-Policies/Updating-User-Up...

Specific content to read :

 

Transfer Ownership

Changes Owners only. No Task is created.

When a user's status changes to disabled or terminated, it is important to change ownership of identity objects belonging to the inactive user to 'Owner on Terminate' user in User Details page. Purpose of Transfer Ownership is to change the ownership of various operations, from the original disabled user to the user selected in 'Owner on Terminate' field in User Details.

For example, let us say user x is configured with user y as 'Owner on Terminate'. Based on specified condition in User Update Rule if userstatuskey is 0 (disable or terminated) for user x then for selected objects the ownership is transferred to user y in this sample example.

The user update rule is run when the condition specified is met and for selected objects, the ownership is transferred to the user selected in "Owner On Terminate" field in User Details Tab for the user being disabled or terminated. In addition, you can also select an email template, which you want to send as an intimation to the new owner informing about the change in ownership. Additionally, an email is also sent to the new owner for ownership change.

For Service Accounts, owners are specified. To handle use-case of owners of service account getting terminated, you can use User Update Rule feature to create a rule if the user account is changed to inactive (0). As soon as the current service account owner is terminated, user update rule with action "Transfer Ownership" is triggered and the current owner will be replaced by OwnerOnTerminate user as the service account owner.

OwnerOnTerminate must be pre-defined in the current user definition before the current owner is terminated.

You can configure the User Update Rule when:

  • User is updated through UI

  • As a detective rule when user is imported through a feed file or through DB

Additional description for actions related to Transfer Ownership is given below.

  • Transfer Role Ownership: Used to transfer the ownership pertaining to a Role. For example, if user x is the Role owner and the user y is the Owner on Terminate then if user x is deactivated, user y will be the owner of the Role.

  • Transfer Entitlement Ownership: Used to transfer the ownership pertaining to an Entitlement. For example, if user x is the Entitlement owner and the user y is the Owner on Terminate then if user x is deactivated, user y will be the owner of the Entitlement.

  • Replace User in User Group: Used to replace an existing user lets say user 'x' belonging to a user group UG1, and if user 'x' has marked Owner on Terminate as user 'y' then user y will be part of the user group UG1.

  • Replace User in Requests in Flight: Used to replace the approver for requests that are in-progress and yet to be approved. For example, a request is raised and user 'x' is the approver of the request and if user x is inactive then user y (who is the Owner on Terminate of user x), will be the approver of the request instead of user x.

  • Replace User in Manager: Used to replace the manager of a user when the original manager is terminated. For example, for user 'a', manager is selected as user x. If user x is terminated, and if user y is the Owner on Terminate of user x then user y will be the manager of user 'a'.

  • Replace User in Attestation - Certifier: Used to replace certifier in Attestation when the original user is terminated. For example, if user 'x' is the certifier and user y is the Owner on Terminate for user x. When the user x is terminated, user y will be certifier in Attestation.

  • Replace SOD Owner: Used to replace the SOD Ownership when a user is terminated. Original user who is the SOD Owner will be replaced by the Owner on Terminate user.

  • Replace Owner in Analytics: Used to replace the Analytics Ownership when a user is terminated. Original user who is the Analytics Owner will be replaced by the Owner on Terminate user.

  • Replace Owner in Service Accounts: Used to replace the Ownership for Service Accounts when a user is terminated. Original user who is the Owner for Service Accounts will be replaced by the OwnerOnTerminate user as the service account owner.

  • Replace Owner in Rule: Used to replace the Rule ownership to the user configured in the OwnerOnTerminate parameter in the User Details page.

    • Following is the priority order for replacing the Rule Owner:

      • The first priority is given to User’s OwnerOnTerminate configured in the User Details page.

      • The second priority (if OwnerOnTerminate not defined) is given to the User’s Manager configured in the User Details page.

      • The third priority (if both OwnerOnTerminate and User’s Manager not defined) is given to the ‘admin’ user.

  • Replace user in Resource Owner: Used to replace the owner in the Endpoints show page when a user is updated and the condition defined in the rule matches it. The pre-requisite for replacing the owner in the Endpoints show page is Endpoint 'Resource Owner' type is selected as 'User' and the 'Resource Owner' is the user who is being updated. Following is the priority order for replacing the Resource Owner in the Endpoints show page:

    • The first priority is given to User’s OwnerOnTerminate.

    • The second priority (if OwnerOnTerminate not defined) is given to the User’s Manager.

    • The third priority (if both OwnerOnTerminate and User’s Manager not defined) is given to the ‘admin’ user.

  • All: When you select All, for all the above-specified actions ownership is transferred to the user selected in 'Owner on Terminate'.

Regards,

Amit

Please ACCEPT SOLUTION to close thread if it has answered your query.