Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/19/2023 01:56 AM
We're wanting to decomission/retire several applications. They were connected systems but are now no longer connected (taken offline) but Saviynt still shows users and permissions.
Do you have any documentation outlining how to best decomission the connections, security systems, endpoints, accounts and entitlements in Saviynt that relate to these aplications.
In particular, we have a number of users with accounts and entitlements on these security systems and endpoints and we need to remove these without doing bulk loads. We have investigated removing accounts using an API call with Instant Provisioning turned on, but it leaves the accounts in a "Manually Suspended" state as we can't reconcile the system anymore.
05/21/2023 06:25 PM
Following this post as looking for recommendation on these use case.
Thanks
Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
05/21/2023 10:44 PM
05/21/2023 10:46 PM
Hi Rushikesh,
Thank you for responding, but how do you propose that we make all accounts suspended from import and ensure that all entitlements are removed?
Grant
05/21/2023 10:51 PM
Use import sheet
05/21/2023 11:22 PM
Hi Rushikesh,
I don't believe that I can import a blank file to remove all users, do you have a suggestion here?
Grant
05/24/2023 03:49 PM
Disable Security System
Disable Endpoint
Disable Connection (i.e. rename it as _Offboarded)
Mark all accounts as suspended from import service and add - Deleted tag in the account name via Custom query job
Mark all the entitlements part of the endpoint as inactive
Remove the cron expression from the trigger or delete the job
Wipe off all the custom properties of the endpoint (in case any processing was done based on the endpoint custom properties)
Modify the user updates rules in case the endpoint was used anywhere.
Hope this helps!!
Thanks
Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
05/25/2023 09:29 PM
Hi Devang,
Thanks for the detailed response. I think we're progressing towards a solution here.
How do we achieve "Mark all accounts as suspended from import service". Are you saying that we need to run a DB Custom Query to change the Status field on the affected accounts to "SUSPENDED FROM IMPORT SERVICE"?
If we do that, how do we remove the attached entitlements on those accounts as they wont be emtpy?
It would be great if the product had an Application Retirement Option (like it does for onboarding) that did all this and created annotated audit records for the removal of all of this. It feels a bit disjointed.
Thanks!
Grant
05/27/2023 10:29 AM
Agree with you @gbeckwith there is no official way to decommision an application and suspend all accounts. Using a dummy csv to make all accounts suspended sounds and feels like bodging as you will need to upload at least one account (possibly just a dummy entry) in csv as blank csv can not be uploaded. Verified:
and custom query jobs are not recommended by Saviynt themselves (you can mess up badly if you dont double check your queries and this doesn't create any audit logs either AFAIK):
So yeah, both these methods are more or less hacks.
Hope someone from Saviynt can provide inputs on this matter.
05/29/2023 08:16 PM
You can keep account active or make account inactive via import as secuity system and endpoint are inactive it has no impact
06/01/2023 11:45 AM
I agree its better if someone from Saviynt team provides recommended way to decommission an application.
Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.