Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AD-switching identity HCM Status from P -> I does not relocate the AD account

Roua
Regular Contributor
Regular Contributor

Hello we have the following requirement:
setting HCM-Status to P 
will disable the account by user update rule that will create a task and will be done with provesioning AD job 
the account will be moved to a different OU:
DISABLEACCOUNTJSON:

 

 

{
  "msExchExtensionCustomAttribute1": "${Calendar.getInstance().getTime().format('MM/dd/yyyy')}",
  "spar-HCMStatus": "${user.customproperty5}",
  "deleteAllGroups": "No",
  "userAccountControl": "514",
  "moveUsertoOU": "OU=TemporaryLeave,OU=xxx,OU=xxxx,DC=xxxx,DC=xxx,DC=xxx"
}

 

 

user update rule: 

 

 

If (Users.customproperty5 isupdated) AND Users.customproperty5 = 'P' AND ( Users.id IN ( SELECT ru.userkey FROM Role_user_account ru, Roles r WHERE ru.rolekey = r.id AND r.role_name = 'xxxxx' ) OR Users.id NOT IN ( SELECT ru.userkey FROM Role_user_account ru, Roles r WHERE ru.rolekey = r.id AND r.role_name = 'xxxxxx' ) )
Then
(Disable User Accounts AND Create Update User Task [Connection: SAP HCM , Object: Update Login ])

 

then moving the HCM-STATUS from P to I  "inactive" : 
REMOVEACCOUNTACTION:

 

 

{
  "removeAction": "DISABLE",
  "msExchExtensionCustomAttribute1": "",
  "spar-HCMStatus": "${user.customproperty5}",
  "moveUsertoOU": "OU=Exited OutOfOffice,OU=xxx,OU=xxxx,DC=xxx,DC=xxx,DC=xxx"
}

 

i tried deleted , disabled, suspended  in "removeAction": "DISABLE", but it doesn't work. and if we just choose DELETE although in user update rule it is assigned to be executed only in 90 days. when running the provisioning job, it deleted the account immediately without moving it to the new OU.
and the userupdaterule

 

 

If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Deprovision Access [ Endpoints: cda,Oracle Unified Directory2endpoint, Object: AccountsOnly ] AND Transfer Ownership AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ] AND Create Update Account Task [Endpoint: Oracle Unified Directory2endpoint, Connection: Oracle Unified Directory2 ])

 

 


i also i thought about disabling the account first and moving it to the new OU 

 

 

If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Disable User Accounts AND Transfer Ownership AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ] AND Create Update Account Task [Endpoint: Oracle Unified Directory2endpoint, Connection: Oracle Unified Directory2 ])

 

 


and then another userupdate rule to delete the account

 

 

If Users.HCM Status (Custom Property 5) is updated
AND Users.AD Distinqued Name (Custom Property 56) CONTAINS "OU=Exited OutOfOffice,OU=xxx,OU=xxx,DC=xx,DC=xx,DC=xx"
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Disable User AND Deprovision Access [ Endpoints: cda,Oracle Unified Directory2endpoint, Object: AccountsOnly ])

 

 


but also didn't work 
any ideas how we can solve this? 

12 REPLIES 12

rushikeshvartak
All-Star
All-Star

Can you share logs and highlight error in logs


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

i found around 10000 logs and here is the file of the relevant ones to this issue

Roua
Regular Contributor
Regular Contributor

Hi @rushikeshvartak ,
here are detailed logs: 
These logs show that the system correctly identified that the user’s HCM Status was updated and that it was set to "I":

2024-08-22T13:04:39.795+00:00,"ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-9-frbjs","DEBUG","hql userupdate --select a.id from Users a where a.id=27135 AND ( 1 = 1  AND   a.customproperty5 = 'I'  AND   1=1 )"
2024-08-22T13:04:39.797+00:00,"ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-9-frbjs","DEBUG","hql userupdate --select a.id from Users a where a.id=27135 AND ( 1 = 1  AND   a.customproperty5 = 'I'  AND   1=1 ) executed"

Task Skipping Due to Account Status:
The logs contain several instances where tasks were skipped :

2024-08-22T13:04:40.259+00:00,"ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-9-frbjs","DEBUG","Task already exists. Skipping..."

The system likely assumes that since the account is disabled, it doesn't need to process additional tasks like relocation

The following logs also suggest that no further actions were triggered after the system determined that the account was already in a disabled state:

2024-08-22T13:04:40.311+00:00,"ecm-worker","services.JbpmWorkflowService","Thread-32444-frbjs","DEBUG","Not triggering jobs."

how can we kind of force task creation? or what could be the approach for this 

NOTE: 
this is the logs regarding having two user update rules that i mentioned at the end since triggering remove account already it is removing it before it trigger a relocation 

  • tasks will be crated only when account status is active.
  • If account is inactive tasks will not be created, you need to enable account and then create add access task.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak  thank you!
so you mean in the following user update rule: 

If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Disable User Accounts AND Transfer Ownership AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ] AND Create Update Account Task [Endpoint: Oracle Unified Directory2endpoint, Connection: Oracle Unified Directory2 ])

Roua_0-1724333078900.png

i should first add an action to enable the account ? 
but can i also add the disable action within the same update user rule "that i attached here"

so in this case it should be something like this ? 

Roua_1-1724333298489.png


would this create add access task ? 







Yes if account is active


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak  can you explain more,
moving from P "account is paused = disabled " to I "account is inactive" which as i understood from you we need to enable it again in user update rule then setting it to I again 

would the user update rule work for this logic ? 

It should work. 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak 
once i changed it from P to I 
a task was created to enable the account so i did run the provisioning JOB as long as AD import, the account was enabled but it didn't create a task to disable it again and also it didn't continue the process i assigned in the user update rule
am i missing any additional step to trigger the task to disable the account based on the "I " ?

  • Do you want to create disable account task ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

 

 

 

 

@rushikeshvartak , yes, thats what i understood from you, that in order to disable it and relocate it since it doesn't work from P to I since with P the account is already disable so you told me to enable it and then disable it therefore i added this in my user update rule:

Roua_0-1724339704071.png




so i tested it and as i mentioned earlier, 

once i changed it from P to I
a task was created to enable the account so i did run the provisioning JOB as long as AD import, the account was enabled but it didn't create a task to disable it again and also it didn't continue the process i assigned in the user update rule
am i missing any additional step to trigger the task to disable the account based on the "I " ?

NOTE= after running the provisioning job the AD account is active and the HCM-STATUS is still "I"
which is the logic we need, now the issue is how to actually make this user update rule triggere a task creation to create a disable task that will be processed  "correct me if  i was wrong" by the 

DISABLEACCOUNTJSON field in AD that i set it to : 

 

 

{
  "msExchExtensionCustomAttribute1": "${Calendar.getInstance().getTime().format('MM/dd/yyyy')}",
  "xx-HCMStatus": "${user.customproperty5}",
  "customproperty44": "${if (user.customproperty5 == 'P' || user.customproperty47.contains('OU=TemporaryLeave,OU=Usr,OU=DisabledObjects,DC=xxx,DC=local,DC=xx')) {Calendar.getInstance().getTime().format('MM/dd/yyyy')}}",
  "deleteAllGroups": "No",
  "userAccountControl": "514",
  "moveUsertoOU": "${if(user.customproperty5 == 'P'){'OU=TemporaryLeave,OU=Usr,OU=DisabledObjects,DC=xxxx,DC=local,DC=xx'} else if(user.customproperty5 == 'I'){'OU=Exited OutOfOffice,OU=Usr,OU=DisabledObjects,DC=xxxx,DC=local,DC=x'}}"
}

 

 

so knowing that the HCMStatus "customproperty5" is I and the account is active following the logic of disabling it should be possible, but again how do we trigger this with the user rule because it didn't work 



Roua
Regular Contributor
Regular Contributor

Hello @rushikeshvartak do you have any recommendations or idea how to proceed with this?
Thank You! 🙂