Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/26/2023 03:08 AM
Hello, I am having a difficult time understanding each option provided for the revoke task when building a certification campaign.
Can someone please provide more clarity below options.
for example,
1.Create Revoke Task for Terminated User & Revoked/Conditional Certified Acc. & Ent. on Expiring
Can it create revoke task for only Terminated Users on campaign expiry or it will create revoke tasks for terminated, rejected, or conditionally certified items accounts and entitlements on campaign expiry?
2.Create Remove Account Task For Base Account
Is this option used in User manager Campaign?
if I enable this how it works
3.Create Revoke Task For Certified Item on Expiry
Is certified items mean all approved items?
Reference doc
Configuring Settings for User Manager Campaigns (saviyntcloud.com)
Could anyone please clear my doubt.
09/28/2023 11:45 AM
Hi @SumathiSomala ,
Thanks.
09/28/2023 10:29 PM
@DaanishJawed Thanks for giving the clarification
Could you please elaborate the 2nd point?
2.Create Remove Account Task For Base Account
Exactly when revoke tasks will create and for which accounts and ents
10/03/2023 09:42 AM
@DaanishJawed Any update on my ask?
10/03/2023 03:51 PM
Hi @SumathiSomala ,
This is setting is specifically to create remove account task for BASE Accounts. As the description says in the document link - Enable this to create revoke task for base account and all its associated entitlements even if it is excluded from campaign
The REMOVE ACCOUNT task will be created for all accounts across the board once the campaign has been completed.
Thanks.
10/27/2023 08:52 AM
Hi @DaanishJawed @SumathiSomala
As per the above reply on this topic, I am also gone into the situation to understand these setting of revocation tasks.
1. Create Revoke Tasks For Certified Items On Expiry (Users)
Is certified items mean all approved items?
I don't understand the real use case where certifier approves the request and all the access get revoked. In practical world, the certification is meant to review the access and rejection of the access should be converted into revocation tasks but not the approved one.
Can someone please explain me if my understanding is wrong here?
thanks,
Arpit
10/27/2023 09:00 AM
1. Create Revoke Tasks For Certified Items On Expiry (Users)
Is certified items mean all approved items?
@Arpit_Tiwari Yes ,Your understanding is correct, This option enables you to create revoke task for all approved items on campaign expiry.
I am not sure about the business use case.
10/29/2023 08:04 PM
Its possible that not every certifier complete certification on time hence on expiry revoke approved access
10/29/2023 08:12 PM - edited 10/29/2023 08:13 PM
@rushikeshvartak yes but certifier approves the items when reportees need access right?
1.Create Remove Account Task For Base Account
@rushikeshvartak could you please elaborate the above config in UM campaign how this works?
What will happen if I disable/enable this.
10/29/2023 08:19 PM
but certifier approves the items when reportees need access --> Approved all access to revoke
Create Remove Account Task For Base Account - This will remove base account and all connected access.
Example Acc - A1 having E1/E2/E3
here base account remove account task will be generated and respective entitlement task will be generated based on endpoint level config
10/29/2023 08:50 PM
My questions may irritate you. I have tested many times still unable to understand this configuration.
@rushikeshvartak even though without selecting the above config, remove tasks are getting created for base account on certificate expiry or on lock for revoked items with other remove task configs.
Could you please differentiate ?
11/22/2023 02:50 PM
@SumathiSomala : Did you have Disable Remove Account Option enabled on Endpoint level in the testing you did? This setting will be helpful in case that particular scenario
10/30/2023 06:06 AM
My doubt is still not clear that why the approved access (Create Revoke Tasks For Certified Items On Expiry (Users) is getting revoked, if all certifiers are not able to complete certification on time. Instead, they can use "Create Revoke Task For Unresponded Items on Expiry".
Thanks,
Arpit
11/22/2023 02:54 PM
@Arpit_Tiwari : Certification is not completed until certifier is locked the certification.
In case certifier acted on all line items(approved/rejected) but still didn't lock the certification that particular scenario is nothing but he didn't still complete the certification in that particular scenario it can expire the certification after expiry. So this setting will tell whether to revoke the access even he took the action as approved/certified but didn't lock the certification.
Because technically we consider the certification is complete only if certification is locked until then he/she can make changes to his/her decision.
11/13/2023 08:07 AM
@Arpit_Tiwari Totally agree with you. However have tested this setting ??
@rushikeshvartak @SumathiSomala @DaanishJawed
Create Revoke Tasks For Certified Items On Expiry: In um certification i have only selected this and set expiry to 1 day. After campaign expired the status in over due. However it didnt trigger revoke task for certified accounts.
i have 2 accounts: one have marked as terminate and other i left it blank.
i have created one more campagin with Create Revoke Task For Unresponded Items on Expiry
set expiry to 1 day and didnt even touched the campagin for 1 day the status is marked as overdue. However it didnt trigger the revoke task.
11/13/2023 08:16 AM - last edited on 11/22/2023 09:30 PM by Sunil
@iam01 did you run the below job?
Expire Campaign based on End Date (CAMPAIGNEXPIREDJOB) |
[This message has been edited by moderator to disable URL hyperlink]
11/13/2023 08:32 AM
@SumathiSomala yes i just reran the job Create Revoke Task For Unresponded Items on Expiry is working as expected.
Create Revoke Task For Certified Item on Expiry:
I have marked one as work for me and other as terminated. it didnt triggerd any task.
Am getting confused "Create Revoke Task For Certified Item on Expiry: " could you please help me with this option
11/13/2023 08:46 AM
Create Revoke Task For Unresponded Items on Expiry : i have observed one more thing, it create the remove task for accounts. However its not setting saviynt user to inactive. Is this the expected behaviour? @SumathiSomala @DaanishJawed
11/13/2023 10:01 AM
Did you configured JSON for same ?
11/13/2023 10:08 AM
In general when certification is locked it will inactive the saviynt user right. Why would I need a json for same.
I hope you reply for the below:
Create Revoke Task For Unresponded Items on Expiry
11/13/2023 10:19 AM
Setting user to inactive is not expected , which certification are you referring to ?
11/13/2023 10:56 AM - edited 11/13/2023 11:14 AM
User manager campaign employment verification, when I opt for termination. It's creating an revoke account task and also inactive the saviynt user.
11/22/2023 03:25 AM
Hi @iam01 ,
If you opt for Termination at Step1, then it will inactivate the user and create remove account task. That is the expected behavior.
11/22/2023 07:01 PM
Revoke task for account is expected.