Saviynt Forums

Hi Rushikesh,

The email template is attached here at the campaign configuration level.

For test purposes the email template only contains text and no variables. The TO: is my hardcoded email again only for troubleshooting purposes. 

Note that If I use this same email template on another certification email option (create of complete for instance) I do receive the emails, which makes me think the problem is not with the actual email template. Maybe related to the Revoke Task Email template option itself? This is what I am trying to figure out...

If it can help I found this in the logs at the time I did a campaign test. It does not say clearly that it is failing but it does not mention "email sent" like it does for campaign started and completed.

Thank you!

• Did you locked campaign?
• did you configured revoke task configuration in campaign.

Hi,

Yes I did lock the campaign. We do receive complete campaign emails and I can see the completed status.

The revoke tasks are configured with this option. When testing I can see remove tasks getting created and executed with success. The only item missing is getting these revoke tasks emails associated with the campaign working. Are there other requirements (Global Config, Endpoints config) to have revoke tasks emails sending emails?

Thank you,

Did you attach email template to individual endpoint level? Please attach and validate

No I did not. Are you mentioning this because it is a requirement or for troubleshooting purposes?

We would like to differenciate the access removal tasks that are triggered by certification campaigns  from the ones triggered using regular access requests. I was thinking using the campagin email template at the endpoint level would cause the template to be used outsite certifications. Is this a fair statement? Is there a way to workaround this?

In the end task is created for endpoint hence endpoint template will be used and you can differentiate using source 

Hi,

Thank you again. Do you think you could elaborate and provide an example regarding the "differentiate using source" part as I am not familiar with this.

I just tried to add this same email template test I was using (the one with my email hardcoded) at the endpoint level and I can see the remove access pending task created after campaign locked but again no email. 

Any idea what might still be missing?

I have hidden information but the endpoint name is the good one.

Use below variable in email template to specify task source ${task.source} 

this is source column from arstasks table

also try with static email content 

Hi rushikeshvartak,

I was finally able to receive a remove access email notification by changing Task Create by Task Complete on an AD Endpoint I was testing this with. I don't know why the Task Create option did not work but anyway it makes more sense to have the notification at task completion for connected applications in my opinion. At first, I was just trying with Task Create as a test to speed thing up a little...

Regarding the Revoke Task Email Template at the Campaign level, what is the purpose of this option if it cannot function by itself and send emails like the Create/Complete options do? During my successful test yesterday I removed the config at the Campaign level to confirm it is working only because I configured it at the Endpoint level. Is there a use case where the Revoke Task at the Campaign level should work? Otherwise I find this kind of misleading to have it there if you understand what I mean?

Thank you again.

Revoke Task Email Template - https://forums.saviynt.com/t5/identity-governance/revoke-task-email-template-mapping-user-manager-ca... 

this is used when tasks are created.

In our case tasks were created and executed by the campaign and no emails were sent using this option. This is the reason I posted this in the first place. Is it possible this option may not be working as expected?

Can you confirm campaign type?

Of course. Campaign type is User Manager.

I have validated in EO will check in 24.5 on UM and confirm

Hi Saathvik,

Thank you very much for the detailed information.

I think it explains the behaviour we have been observing.

@Manu269 : For connected applications you mean?

@Saathvik I thought you said earlier this was supposed to work only if the application is disconnected? Just confirming... 🙂 Thank you.

This works irrespective of application type. In case of connected application email gets sent to admin you can keep your self in bcc and validate

@glegault : Sorry I misspoke, I actually meant to refer instance provisioning not connected application. If instance provisioning is enabled then we observed task creation notifications from endpoint level are not getting(we tried for change password) triggered.

I validated and confirmed that Certification Revoke Task template is triggering irrespective of Disconnected vs Connected Application.

@Saathvik Since you and others are stating Certification Revoke Task template are working for all types of applications, there must be something I am not doing properly since I was never able to receive an email using this option even when hardcoding my corporate email in the email template and not using any variables for test purposes. Using the same test email template on campaign created/completed works fine.

Setting the email template at the endpoint level with Remove Access / Task Complete settings seem to be working fine from what I can see. As @rushikeshvartak  mentioned, we can differenciate using $task.source if the task is coming from a request or from certifications. I guess we will need to use this technique since I am not able to make this work at the campaign level. 

Thank you.

Yes . Please confirm if this thread solution is working as solution is already accepted please confirm if its working or not ?

@rushikeshvartak  and @Saathvik I just did a final test to confirm the connected vs disconnected app part. 

Using the same Campaign Template with Revoke Task email enabled to send to my hardcoded email without any variables I was able to get the Revoke Task email notification only for the disconnected application when the Pending Task was created. I never had tried disconnected applications certifications before as we are new with this and our current need was for AD connected applications.

For the AD connected application with automatic provisioning the Revoke Task email notification is not triggerred. The email notification I receive comes from the Endpoint level template I configured to be notified when the Remove Access has a Task Complete.

This behaviour we are seeing matches what @Saathvik was initialy stating and it is the comment I accepted as solution.

We are fine with this as we now have a better understanding of the process so thank you all!