Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/21/2024 07:27 AM - edited 08/21/2024 07:30 AM
Hello we have the following requirement:
setting HCM-Status to P
will disable the account by user update rule that will create a task and will be done with provesioning AD job
the account will be moved to a different OU:
DISABLEACCOUNTJSON:
{
"msExchExtensionCustomAttribute1": "${Calendar.getInstance().getTime().format('MM/dd/yyyy')}",
"spar-HCMStatus": "${user.customproperty5}",
"deleteAllGroups": "No",
"userAccountControl": "514",
"moveUsertoOU": "OU=TemporaryLeave,OU=xxx,OU=xxxx,DC=xxxx,DC=xxx,DC=xxx"
}
user update rule:
If (Users.customproperty5 isupdated) AND Users.customproperty5 = 'P' AND ( Users.id IN ( SELECT ru.userkey FROM Role_user_account ru, Roles r WHERE ru.rolekey = r.id AND r.role_name = 'xxxxx' ) OR Users.id NOT IN ( SELECT ru.userkey FROM Role_user_account ru, Roles r WHERE ru.rolekey = r.id AND r.role_name = 'xxxxxx' ) )
Then
(Disable User Accounts AND Create Update User Task [Connection: SAP HCM , Object: Update Login ])
then moving the HCM-STATUS from P to I "inactive" :
REMOVEACCOUNTACTION:
{
"removeAction": "DISABLE",
"msExchExtensionCustomAttribute1": "",
"spar-HCMStatus": "${user.customproperty5}",
"moveUsertoOU": "OU=Exited OutOfOffice,OU=xxx,OU=xxxx,DC=xxx,DC=xxx,DC=xxx"
}
i tried deleted , disabled, suspended in "removeAction": "DISABLE", but it doesn't work. and if we just choose DELETE although in user update rule it is assigned to be executed only in 90 days. when running the provisioning job, it deleted the account immediately without moving it to the new OU.
and the userupdaterule
If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Deprovision Access [ Endpoints: cda,Oracle Unified Directory2endpoint, Object: AccountsOnly ] AND Transfer Ownership AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ] AND Create Update Account Task [Endpoint: Oracle Unified Directory2endpoint, Connection: Oracle Unified Directory2 ])
i also i thought about disabling the account first and moving it to the new OU
If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Disable User Accounts AND Transfer Ownership AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ] AND Create Update Account Task [Endpoint: Oracle Unified Directory2endpoint, Connection: Oracle Unified Directory2 ])
and then another userupdate rule to delete the account
If Users.HCM Status (Custom Property 5) is updated
AND Users.AD Distinqued Name (Custom Property 56) CONTAINS "OU=Exited OutOfOffice,OU=xxx,OU=xxx,DC=xx,DC=xx,DC=xx"
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Disable User AND Deprovision Access [ Endpoints: cda,Oracle Unified Directory2endpoint, Object: AccountsOnly ])
but also didn't work
any ideas how we can solve this?
08/21/2024 07:39 AM
Can you share logs and highlight error in logs
08/22/2024 04:56 AM - edited 08/22/2024 05:01 AM
08/22/2024 06:18 AM
Hi @rushikeshvartak ,
here are detailed logs:
These logs show that the system correctly identified that the user’s HCM Status was updated and that it was set to "I":
2024-08-22T13:04:39.795+00:00,"ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-9-frbjs","DEBUG","hql userupdate --select a.id from Users a where a.id=27135 AND ( 1 = 1 AND a.customproperty5 = 'I' AND 1=1 )"
2024-08-22T13:04:39.797+00:00,"ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-9-frbjs","DEBUG","hql userupdate --select a.id from Users a where a.id=27135 AND ( 1 = 1 AND a.customproperty5 = 'I' AND 1=1 ) executed"
Task Skipping Due to Account Status:
The logs contain several instances where tasks were skipped :
2024-08-22T13:04:40.259+00:00,"ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-9-frbjs","DEBUG","Task already exists. Skipping..."
The system likely assumes that since the account is disabled, it doesn't need to process additional tasks like relocation
The following logs also suggest that no further actions were triggered after the system determined that the account was already in a disabled state:
2024-08-22T13:04:40.311+00:00,"ecm-worker","services.JbpmWorkflowService","Thread-32444-frbjs","DEBUG","Not triggering jobs."
how can we kind of force task creation? or what could be the approach for this
NOTE:
this is the logs regarding having two user update rules that i mentioned at the end since triggering remove account already it is removing it before it trigger a relocation
08/22/2024 06:21 AM
08/22/2024 06:28 AM
@rushikeshvartak thank you!
so you mean in the following user update rule:
If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Disable User Accounts AND Transfer Ownership AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ] AND Create Update Account Task [Endpoint: Oracle Unified Directory2endpoint, Connection: Oracle Unified Directory2 ])
i should first add an action to enable the account ?
but can i also add the disable action within the same update user rule "that i attached here"
so in this case it should be something like this ?
would this create add access task ?
08/22/2024 06:37 AM
Yes if account is active
08/22/2024 07:05 AM
@rushikeshvartak can you explain more,
moving from P "account is paused = disabled " to I "account is inactive" which as i understood from you we need to enable it again in user update rule then setting it to I again
would the user update rule work for this logic ?
08/22/2024 07:06 AM
It should work.
08/22/2024 07:58 AM - edited 08/22/2024 08:06 AM
@rushikeshvartak
once i changed it from P to I
a task was created to enable the account so i did run the provisioning JOB as long as AD import, the account was enabled but it didn't create a task to disable it again and also it didn't continue the process i assigned in the user update rule
am i missing any additional step to trigger the task to disable the account based on the "I " ?
08/22/2024 08:09 AM
08/22/2024 08:15 AM - edited 08/22/2024 08:21 AM
@rushikeshvartak , yes, thats what i understood from you, that in order to disable it and relocate it since it doesn't work from P to I since with P the account is already disable so you told me to enable it and then disable it therefore i added this in my user update rule:
so i tested it and as i mentioned earlier,
once i changed it from P to I
a task was created to enable the account so i did run the provisioning JOB as long as AD import, the account was enabled but it didn't create a task to disable it again and also it didn't continue the process i assigned in the user update rule
am i missing any additional step to trigger the task to disable the account based on the "I " ?
NOTE= after running the provisioning job the AD account is active and the HCM-STATUS is still "I"
which is the logic we need, now the issue is how to actually make this user update rule triggere a task creation to create a disable task that will be processed "correct me if i was wrong" by the
DISABLEACCOUNTJSON field in AD that i set it to :
{
"msExchExtensionCustomAttribute1": "${Calendar.getInstance().getTime().format('MM/dd/yyyy')}",
"xx-HCMStatus": "${user.customproperty5}",
"customproperty44": "${if (user.customproperty5 == 'P' || user.customproperty47.contains('OU=TemporaryLeave,OU=Usr,OU=DisabledObjects,DC=xxx,DC=local,DC=xx')) {Calendar.getInstance().getTime().format('MM/dd/yyyy')}}",
"deleteAllGroups": "No",
"userAccountControl": "514",
"moveUsertoOU": "${if(user.customproperty5 == 'P'){'OU=TemporaryLeave,OU=Usr,OU=DisabledObjects,DC=xxxx,DC=local,DC=xx'} else if(user.customproperty5 == 'I'){'OU=Exited OutOfOffice,OU=Usr,OU=DisabledObjects,DC=xxxx,DC=local,DC=x'}}"
}
so knowing that the HCMStatus "customproperty5" is I and the account is active following the logic of disabling it should be possible, but again how do we trigger this with the user rule because it didn't work
08/22/2024 11:28 PM
Hello @rushikeshvartak do you have any recommendations or idea how to proceed with this?
Thank You! 🙂