Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/24/2024 07:57 AM - edited 05/24/2024 09:08 AM
Hi,
we are currently configuring certification campaigns. We are using email notifications when campaigns are created, completed, expiring and for reminders. All of those are working fine but we are struggling to get Revoke tasks notifications working.
I tried this with no luck.
The TO: variable we are using on currently working campaign email template is ${users?.email}
I confirmed revoke tasks are created and executed. Only the email notification part is not working.
Are there any special requirements to have Revoke tasks working?
Thank you.
Solved! Go to Solution.
05/26/2024 10:44 AM
05/27/2024 05:08 AM - edited 05/27/2024 05:24 AM
Hi Rushikesh,
The email template is attached here at the campaign configuration level.
For test purposes the email template only contains text and no variables. The TO: is my hardcoded email again only for troubleshooting purposes.
Note that If I use this same email template on another certification email option (create of complete for instance) I do receive the emails, which makes me think the problem is not with the actual email template. Maybe related to the Revoke Task Email template option itself? This is what I am trying to figure out...
If it can help I found this in the logs at the time I did a campaign test. It does not say clearly that it is failing but it does not mention "email sent" like it does for campaign started and completed.
Thank you!
05/27/2024 09:18 AM
05/27/2024 10:11 AM
Hi,
Yes I did lock the campaign. We do receive complete campaign emails and I can see the completed status.
The revoke tasks are configured with this option. When testing I can see remove tasks getting created and executed with success. The only item missing is getting these revoke tasks emails associated with the campaign working. Are there other requirements (Global Config, Endpoints config) to have revoke tasks emails sending emails?
Thank you,
05/27/2024 10:13 AM
Did you attach email template to individual endpoint level? Please attach and validate
05/27/2024 10:19 AM
No I did not. Are you mentioning this because it is a requirement or for troubleshooting purposes?
We would like to differenciate the access removal tasks that are triggered by certification campaigns from the ones triggered using regular access requests. I was thinking using the campagin email template at the endpoint level would cause the template to be used outsite certifications. Is this a fair statement? Is there a way to workaround this?
05/27/2024 10:30 AM
In the end task is created for endpoint hence endpoint template will be used and you can differentiate using source
05/27/2024 10:45 AM
Hi,
Thank you again. Do you think you could elaborate and provide an example regarding the "differentiate using source" part as I am not familiar with this.
I just tried to add this same email template test I was using (the one with my email hardcoded) at the endpoint level and I can see the remove access pending task created after campaign locked but again no email.
Any idea what might still be missing?
I have hidden information but the endpoint name is the good one.
05/27/2024 12:51 PM - edited 05/27/2024 12:51 PM
Use below variable in email template to specify task source ${task.source}
this is source column from arstasks table
also try with static email content
05/28/2024 05:41 AM
Hi rushikeshvartak,
I was finally able to receive a remove access email notification by changing Task Create by Task Complete on an AD Endpoint I was testing this with. I don't know why the Task Create option did not work but anyway it makes more sense to have the notification at task completion for connected applications in my opinion. At first, I was just trying with Task Create as a test to speed thing up a little...
Regarding the Revoke Task Email Template at the Campaign level, what is the purpose of this option if it cannot function by itself and send emails like the Create/Complete options do? During my successful test yesterday I removed the config at the Campaign level to confirm it is working only because I configured it at the Endpoint level. Is there a use case where the Revoke Task at the Campaign level should work? Otherwise I find this kind of misleading to have it there if you understand what I mean?
Thank you again.
05/28/2024 06:47 AM
Revoke Task Email Template - https://forums.saviynt.com/t5/identity-governance/revoke-task-email-template-mapping-user-manager-ca...
this is used when tasks are created.
05/28/2024 06:54 AM - edited 05/28/2024 06:55 AM
In our case tasks were created and executed by the campaign and no emails were sent using this option. This is the reason I posted this in the first place. Is it possible this option may not be working as expected?
05/28/2024 06:56 AM
Can you confirm campaign type?
05/28/2024 06:59 AM
Of course. Campaign type is User Manager.
05/28/2024 07:02 AM
I have validated in EO will check in 24.5 on UM and confirm
05/28/2024 07:21 AM - edited 05/28/2024 07:27 AM
@glegault : We are using the setting Revoke Task Email Template and we are able to receive the notification as expected upon revoke task creation. We are also on version v23.10. This will work only if the application is disconnected application. If the application is enabled for automatic provision then I believe it will not trigger the task creation notification, same behaviour even if you have used endpoint level notification(only task completion emails will trigger).
I assumed this behaviour is expected for connected applications since it is working consistently.
05/28/2024 07:27 AM - edited 05/28/2024 07:37 AM
Hi Saathvik,
Thank you very much for the detailed information.
I think it explains the behaviour we have been observing.
05/28/2024 07:24 AM
@glegault we validated the same using Revoke Task Email Template v23.11 and v24.2 and its working.
05/28/2024 08:45 AM
05/28/2024 08:52 AM
@Saathvik I thought you said earlier this was supposed to work only if the application is disconnected? Just confirming... 🙂 Thank you.
05/28/2024 01:29 PM
This works irrespective of application type. In case of connected application email gets sent to admin you can keep your self in bcc and validate
05/28/2024 02:32 PM - edited 05/28/2024 02:42 PM
@glegault : Sorry I misspoke, I actually meant to refer instance provisioning not connected application. If instance provisioning is enabled then we observed task creation notifications from endpoint level are not getting(we tried for change password) triggered.
I validated and confirmed that Certification Revoke Task template is triggering irrespective of Disconnected vs Connected Application.
05/29/2024 05:37 AM
@Saathvik Since you and others are stating Certification Revoke Task template are working for all types of applications, there must be something I am not doing properly since I was never able to receive an email using this option even when hardcoding my corporate email in the email template and not using any variables for test purposes. Using the same test email template on campaign created/completed works fine.
Setting the email template at the endpoint level with Remove Access / Task Complete settings seem to be working fine from what I can see. As @rushikeshvartak mentioned, we can differenciate using $task.source if the task is coming from a request or from certifications. I guess we will need to use this technique since I am not able to make this work at the campaign level.
Thank you.
05/29/2024 07:20 PM
Yes . Please confirm if this thread solution is working as solution is already accepted please confirm if its working or not ?
05/30/2024 05:21 AM
@rushikeshvartak and @Saathvik I just did a final test to confirm the connected vs disconnected app part.
Using the same Campaign Template with Revoke Task email enabled to send to my hardcoded email without any variables I was able to get the Revoke Task email notification only for the disconnected application when the Pending Task was created. I never had tried disconnected applications certifications before as we are new with this and our current need was for AD connected applications.
For the AD connected application with automatic provisioning the Revoke Task email notification is not triggerred. The email notification I receive comes from the Endpoint level template I configured to be notified when the Remove Access has a Task Complete.
This behaviour we are seeing matches what @Saathvik was initialy stating and it is the comment I accepted as solution.
We are fine with this as we now have a better understanding of the process so thank you all!