We're wanting to decomission/retire several applications. They were connected systems but are now no longer connected (taken offline) but Saviynt still shows users and permissions.
Do you have any documentation outlining how to best decomission the connections, security systems, endpoints, accounts and entitlements in Saviynt that relate to these aplications.
In particular, we have a number of users with accounts and entitlements on these security systems and endpoints and we need to remove these without doing bulk loads. We have investigated removing accounts using an API call with Instant Provisioning turned on, but it leaves the accounts in a "Manually Suspended" state as we can't reconcile the system anymore.
Disable Security System
Disable Connection (i.e. rename it as _Offboarded)
Mark all accounts as suspended from import service and add - Deleted tag in the account name via Custom query job
Mark all the entitlements part of the endpoint as inactive
Remove the cron expression from the trigger or delete the job
Wipe off all the custom properties of the endpoint (in case any processing was done based on the endpoint custom properties)
Modify the user updates rules in case the endpoint was used anywhere.
Hope this helps!!
Thanks for the detailed response. I think we're progressing towards a solution here.
How do we achieve "Mark all accounts as suspended from import service". Are you saying that we need to run a DB Custom Query to change the Status field on the affected accounts to "SUSPENDED FROM IMPORT SERVICE"?
If we do that, how do we remove the attached entitlements on those accounts as they wont be emtpy?
It would be great if the product had an Application Retirement Option (like it does for onboarding) that did all this and created annotated audit records for the removal of all of this. It feels a bit disjointed.
Agree with you @gbeckwith there is no official way to decommision an application and suspend all accounts. Using a dummy csv to make all accounts suspended sounds and feels like bodging as you will need to upload at least one account (possibly just a dummy entry) in csv as blank csv can not be uploaded. Verified:
and custom query jobs are not recommended by Saviynt themselves (you can mess up badly if you dont double check your queries and this doesn't create any audit logs either AFAIK):
So yeah, both these methods are more or less hacks.
Hope someone from Saviynt can provide inputs on this matter.