Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/27/2023 01:27 PM
Hi,
I have a use case where I am onboarding a new user in Saviynt with a future dated start date.
I am provisioning the user to Active Directory with some birthright access using a technical rule. The account and access is provisioned upon user creation, but the account is provisioned to AD in a disabled state - only to be enabled on the user's effective start date.
Leading up to the user's start date, I want to give the manager an opportunity to request additional access the user may need before their start date. However, after Saviynt's initial birthright provisioning, I am not able to request new access for the account - I assume because the account status is Inactive.
Can I configure Saviynt to allow access requests for an Inactive account? Any advice on how to achieve this use case?
Thank you.
Solved! Go to Solution.
10/27/2023 01:41 PM
Hello @abm15,
Currently, this is not achievable.
Thanks
10/29/2023 06:57 PM
Enable below option to request access for inactive accounts in global configuration
10/30/2023 04:07 AM
@rushikeshvartak , this does not create tasks. Even we have this same issue
11/01/2023 10:32 AM
This configuration will show the inactive accounts in the ARS, but I cannot request new access for the account.
11/01/2023 09:14 PM
Yes you can't request for inactive account.
Please raise idea ticket for enhancement
11/01/2023 10:45 PM
@rushikeshvartak , yes got to know that from Saviynt. This is not a good feature from them, I dont understand why Saviynt need to restrict for no reason.
11/01/2023 09:57 PM
@abm15 inactive accounts only shows up in ARS but does not create a task at all.
Any business use that you can add and post the idea link that you create.
01/31/2024 05:17 AM
We've found out that while you can't request access for an inactive account, the following scenarios can happen (at least with v24.1):
- technical rules give access to an inactive AD account. Provisioning access seems to work, but in case AD account has existing group memberships, they are deleted by the connector.
- if AD account is inactive, you can still request access to child endpoints of your AD endpoint. Also in this case adding the new group membership may work, but existing group memberships of the AD account are removed.
Is this really how the product is supposed to work? Customer would like to create AD accounts of joiners as inactive before start date and allow managers to request access for the inactive accounts and use rules to provision access and then enable the AD account just before the start date. Because of these limitations it seems that either AD accounts must be created as Active before the start date(which goes against the security requirements since the employee hasn't yet started in the job) or access must be only requested when the employee has started which would make the onboarding process slower.
best regards,
Sampo
01/31/2024 06:26 AM
@Sampo , agree with all versions of Saviynt Add Access task do not get created when account status is inactive. Most customer wants Future Dated joiners to get created in active state and open door for their supervisor to request access on behalf of the joiner from Saviynt before their Day 1.
I dont understand why Saviynt needs to stop add access task getting provisioned or created for inactive accounts
01/31/2024 07:58 PM
This will be implemented in future as per idea
https://ideas.saviynt.com/ideas/EIC-I-3334
02/01/2024 08:12 AM
That's great. Do you know which Saviynt release this feature is expected to be implemented for?
02/01/2024 12:11 PM
No it does not have information you can contact your CSM/TAM to get same.
Since idea in place you can close this thread by accepting answer