Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Best Practice Documentation For Application Retirement & Cleanup (Offboarding)

gbeckwith
New Contributor II
New Contributor II

We're wanting to decomission/retire several applications.  They were connected systems but are now no longer connected (taken offline) but Saviynt still shows users and permissions.

Do you have any documentation outlining how to best decomission the connections, security systems, endpoints, accounts and entitlements in Saviynt that relate to these aplications.

In particular, we have a number of users with accounts and entitlements on these security systems and endpoints and we need to remove these without doing bulk loads.  We have investigated removing accounts using an API call with Instant Provisioning turned on, but it leaves the accounts in a "Manually Suspended" state as we can't reconcile the system anymore.

10 REPLIES 10

dgandhi
All-Star
All-Star

Following this post as looking for recommendation on these use case.

Thanks

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

rushikeshvartak
All-Star
All-Star
  • Disable Endpoint 
  • Make all accounts suspended from Import Service 
  • Disable Connections 
  • Remove Jobs

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

gbeckwith
New Contributor II
New Contributor II

Hi Rushikesh,

Thank you for responding, but how do you propose that we make all accounts suspended from import and ensure that all entitlements are removed?

Grant

Use import sheet


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

gbeckwith
New Contributor II
New Contributor II

Hi Rushikesh,

I don't believe that I can import a blank file to remove all users, do you have a suggestion here?

Grant

dgandhi
All-Star
All-Star

Disable Security System

Disable Endpoint

Disable Connection (i.e. rename it as _Offboarded)

Mark all accounts as suspended from import service  and add - Deleted tag in the account name via Custom query job

Mark all the entitlements part of the endpoint as inactive

Remove the cron expression from the trigger or delete the job

Wipe off all the custom properties of the endpoint (in case any processing was done based on the endpoint custom properties)

Modify the user updates rules in case the endpoint was used anywhere.

Hope this helps!!

Thanks

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

gbeckwith
New Contributor II
New Contributor II

Hi Devang,

Thanks for the detailed response.  I think we're progressing towards a solution here.

How do we achieve "Mark all accounts as suspended from import service".  Are you saying that we need to run a DB Custom Query to change the Status field on the affected accounts to "SUSPENDED FROM IMPORT SERVICE"? 

If we do that, how do we remove the attached entitlements on those accounts as they wont be emtpy?

It would be great if the product had an Application Retirement Option (like it does for onboarding) that did all this and created annotated audit records for the removal of all of this.  It feels a bit disjointed. 

Thanks!

Grant

yogesh
Regular Contributor III
Regular Contributor III

Agree with you @gbeckwith there is no official way to decommision an application and suspend all accounts. Using a dummy csv to make all accounts suspended sounds and feels like bodging as you will need to upload at least one account (possibly just a dummy entry) in csv as blank csv can not be uploaded. Verified:

yogesh_0-1685208355473.png

and custom query jobs are not recommended by Saviynt themselves (you can mess up badly if you dont double check your queries and this doesn't create any audit logs either AFAIK):

yogesh_1-1685208411965.png

 

So yeah, both these methods are more or less hacks.

Hope someone from Saviynt can provide inputs on this matter.

You can keep account active or make account inactive via import as secuity system and endpoint are inactive it has no impact


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

I agree its better if someone from Saviynt team provides recommended way to decommission an application.

 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.