Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Add Access to Inactive Account

abm15
New Contributor III
New Contributor III

Hi,

I have a use case where I am onboarding a new user in Saviynt with a future dated start date.

I am provisioning the user to Active Directory with some birthright access using a technical rule. The account and access is provisioned upon user creation, but the account is provisioned to AD in a disabled state - only to be enabled on the user's effective start date.

Leading up to the user's start date, I want to give the manager an opportunity to request additional access the user may need before their start date. However, after Saviynt's initial birthright provisioning, I am not able to request new access for the account - I assume because the account status is Inactive.

Can I configure Saviynt to allow access requests for an Inactive account? Any advice on how to achieve this use case?

Thank you.

12 REPLIES 12

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @abm15,

Currently, this is not achievable.

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

rushikeshvartak
All-Star
All-Star

Enable below option to request access for inactive accounts  in global configuration

rushikeshvartak_0-1698631009736.png

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak , this does not create tasks. Even we have this same issue

This configuration will show the inactive accounts in the ARS, but I cannot request new access for the account.

Yes you can't request for inactive account. 

Please raise idea ticket for enhancement 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak , yes got to know that from Saviynt. This is not a good feature from them, I dont understand why Saviynt need to restrict for no reason.

Manu269
All-Star
All-Star

@abm15 inactive accounts only shows up in ARS but does not create a task at all.

Any business use that you can add and post the idea link that you create.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

Sampo
Regular Contributor
Regular Contributor

We've found out that while you can't request access for an inactive account, the following scenarios can happen (at least with v24.1):

- technical rules give access to an inactive AD account. Provisioning access seems to work, but in case AD account has existing group memberships, they are deleted by the connector.

- if AD account is inactive, you can still request access to child endpoints of your AD endpoint. Also in this case adding the new group membership may work, but existing group memberships of the AD account are removed.

Is this really how the product is supposed to work? Customer would like to create AD accounts of joiners  as inactive before start date and allow managers to request access for the inactive accounts and use rules to provision access and then enable the AD account just before the start date. Because of these limitations it seems that either AD accounts must be created as Active before the start date(which goes against the security requirements since the employee hasn't yet started in the job) or access must be only requested when the employee has started which would make the onboarding process slower.

 

best regards,

Sampo

rituparna_pwc
Regular Contributor
Regular Contributor

@Sampo , agree with all versions of Saviynt Add Access task do not get created when account status is inactive. Most customer wants Future Dated joiners to get created in active state and open door for their supervisor to request access on behalf of the joiner from Saviynt before their Day 1. 

I dont understand why Saviynt needs to stop add access task getting provisioned or created for inactive accounts

This will be implemented in future as per idea

https://ideas.saviynt.com/ideas/EIC-I-3334


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

That's great. Do you know which Saviynt release this feature is expected to be implemented for?

No it does not have information you can contact your CSM/TAM to get same.

Since idea in place you can close this thread by accepting answer


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.