Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best Practice Documentation For Application Retirement & Cleanup (Offboarding)

gbeckwith
New Contributor II
New Contributor II

‎05/19/2023 01:56 AM

We're wanting to decomission/retire several applications.  They were connected systems but are now no longer connected (taken offline) but Saviynt still shows users and permissions.

Do you have any documentation outlining how to best decomission the connections, security systems, endpoints, accounts and entitlements in Saviynt that relate to these aplications.

In particular, we have a number of users with accounts and entitlements on these security systems and endpoints and we need to remove these without doing bulk loads.  We have investigated removing accounts using an API call with Instant Provisioning turned on, but it leaves the accounts in a "Manually Suspended" state as we can't reconcile the system anymore.

0 Kudos
10 REPLIES 10

dgandhi
All-Star
All-Star

‎05/21/2023 06:25 PM

Following this post as looking for recommendation on these use case.

Thanks

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
0 Kudos

rushikeshvartak
All-Star
All-Star

‎05/21/2023 10:44 PM

  • Disable Endpoint 
  • Make all accounts suspended from Import Service 
  • Disable Connections 
  • Remove Jobs

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

gbeckwith
New Contributor II
New Contributor II

‎05/21/2023 10:46 PM

Hi Rushikesh,

Thank you for responding, but how do you propose that we make all accounts suspended from import and ensure that all entitlements are removed?

Grant

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to gbeckwith

‎05/21/2023 10:51 PM

Use import sheet


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

gbeckwith
New Contributor II
New Contributor II

‎05/21/2023 11:22 PM

Hi Rushikesh,

I don't believe that I can import a blank file to remove all users, do you have a suggestion here?

Grant

0 Kudos

dgandhi
All-Star
All-Star

‎05/24/2023 03:49 PM

Disable Security System

Disable Endpoint

Disable Connection (i.e. rename it as _Offboarded)

Mark all accounts as suspended from import service  and add - Deleted tag in the account name via Custom query job

Mark all the entitlements part of the endpoint as inactive

Remove the cron expression from the trigger or delete the job

Wipe off all the custom properties of the endpoint (in case any processing was done based on the endpoint custom properties)

Modify the user updates rules in case the endpoint was used anywhere.

Hope this helps!!

Thanks

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
0 Kudos

gbeckwith
New Contributor II
New Contributor II
In response to dgandhi

‎05/25/2023 09:29 PM

Hi Devang,

Thanks for the detailed response.  I think we're progressing towards a solution here.

How do we achieve "Mark all accounts as suspended from import service".  Are you saying that we need to run a DB Custom Query to change the Status field on the affected accounts to "SUSPENDED FROM IMPORT SERVICE"? 

If we do that, how do we remove the attached entitlements on those accounts as they wont be emtpy?

It would be great if the product had an Application Retirement Option (like it does for onboarding) that did all this and created annotated audit records for the removal of all of this.  It feels a bit disjointed. 

Thanks!

Grant

yogesh
Regular Contributor III
Regular Contributor III
In response to gbeckwith

‎05/27/2023 10:29 AM

Agree with you @gbeckwith there is no official way to decommision an application and suspend all accounts. Using a dummy csv to make all accounts suspended sounds and feels like bodging as you will need to upload at least one account (possibly just a dummy entry) in csv as blank csv can not be uploaded. Verified:

yogesh_0-1685208355473.png

and custom query jobs are not recommended by Saviynt themselves (you can mess up badly if you dont double check your queries and this doesn't create any audit logs either AFAIK):

yogesh_1-1685208411965.png

 

So yeah, both these methods are more or less hacks.

Hope someone from Saviynt can provide inputs on this matter.

rushikeshvartak
All-Star
All-Star
In response to yogesh

‎05/29/2023 08:16 PM

You can keep account active or make account inactive via import as secuity system and endpoint are inactive it has no impact


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

dgandhi
All-Star
All-Star
In response to yogesh

‎06/01/2023 11:45 AM

I agree its better if someone from Saviynt team provides recommended way to decommission an application.

 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
Copyright © 2024 Khoros, LLC