Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Campaign Revoke task

SumathiSomala
All-Star
All-Star

Hello, I am having a difficult time understanding each option provided for the revoke task when building a certification campaign.
Can someone please provide more clarity below options.
for example,
1.Create Revoke Task for Terminated User & Revoked/Conditional Certified Acc. & Ent. on Expiring

SumathiSomala_0-1695722403571.png

Can it create revoke task for only Terminated Users on campaign expiry or it will create revoke tasks for terminated, rejected, or conditionally certified items accounts and entitlements on campaign expiry?

2.Create Remove Account Task For Base Account

Is this option used in User manager Campaign?

if I enable this how it works

3.Create Revoke Task For Certified Item on Expiry

SumathiSomala_1-1695722705326.png

Is certified items mean all approved items?

Reference doc 

Configuring Settings for User Manager Campaigns (saviyntcloud.com)

Could anyone please clear my doubt.

 

 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

23 REPLIES 23

DaanishJawed
Saviynt Employee
Saviynt Employee

Hi @SumathiSomala ,

  1. It will create revoke tasks for all terminated, rejected, or conditionally certified items accounts and entitlements on campaign expiry.
  2. Yes this is used in User Manager Campaign. This setting is to create a revoke task for the base account and all its associated entitlements.
  3. Yes certified items means all the items that has been approved by the certifier.

Thanks.

@DaanishJawed Thanks for giving the clarification 

Could you please elaborate the 2nd point?

2.Create Remove Account Task For Base Account

Exactly when revoke tasks will create and for which accounts and ents

 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

@DaanishJawed Any update on my ask?

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

Hi @SumathiSomala ,

This is setting is specifically to create remove account task for BASE Accounts. As the description says in the document link - Enable this to create revoke task for base account and all its associated entitlements even if it is excluded from campaign

The REMOVE ACCOUNT task will be created for all accounts across the board once the campaign has been completed.

Thanks.

 

 

 

Hi @DaanishJawed  @SumathiSomala 

As per the above reply on this topic, I am also gone into the situation to understand these setting of revocation tasks. 

1. Create Revoke Tasks For Certified Items On Expiry (Users)

Is certified items mean all approved items?

I don't understand the real use case where certifier approves the request and all the access get revoked. In practical world, the certification is meant to review the access and rejection of the access should be converted into revocation tasks but not the approved one.

Can someone please explain me if my understanding is wrong here?

thanks,

Arpit

1. Create Revoke Tasks For Certified Items On Expiry (Users)

Is certified items mean all approved items?

@Arpit_Tiwari  Yes  ,Your understanding is correct, This option enables you to create revoke task for all approved items on campaign expiry.

I am not sure about the business use case.

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

Its possible that not every certifier complete certification on time hence on expiry revoke approved access 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak yes but certifier approves the items when reportees need access  right? 

1.Create Remove Account Task For Base Account

@rushikeshvartak could you please elaborate the above config in UM campaign how this works? 

What will happen if I disable/enable this. 

 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

but certifier approves the items when reportees need access   --> Approved all access to revoke 

Create Remove Account Task For Base Account - This will remove base account and all connected access. 

Example Acc - A1  having E1/E2/E3

here base account remove account task will be generated and respective entitlement task will be generated based on endpoint level config


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

My questions may irritate you. I have tested many times still unable to understand this configuration. 

@rushikeshvartak even though without selecting the above config, remove tasks are getting created  for base account on certificate expiry or on lock for revoked items with other remove task configs.

Could you please differentiate ? 

 

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

@SumathiSomala : Did you have Disable Remove Account Option enabled on Endpoint level in the testing you did? This setting will be helpful in case that particular scenario


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Hi @rushikeshvartak 

My doubt is still not clear that why the approved access (Create Revoke Tasks For Certified Items On Expiry (Users) is getting revoked, if all certifiers are not able to complete certification on time. Instead, they can use "Create Revoke Task For Unresponded Items on Expiry". 

Thanks,

Arpit

@Arpit_Tiwari : Certification is not completed until certifier is locked the certification.

In case certifier acted on all line items(approved/rejected) but still didn't lock the certification that particular scenario is nothing but he didn't still complete the certification in that particular scenario it can expire the certification after expiry. So this setting will tell whether to revoke the access even he took the action as approved/certified but didn't lock the certification.

Because technically we consider the certification is complete only if certification is locked until then he/she can make changes to his/her decision.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

iam01
Regular Contributor
Regular Contributor

@Arpit_Tiwari Totally agree with you. However have tested this setting ??
@rushikeshvartak @SumathiSomala  @DaanishJawed 

Create Revoke Tasks For Certified Items On Expiry: In um certification i have only selected this and set expiry to 1 day. After campaign expired the status in over due. However it didnt trigger revoke task for certified accounts.

i have 2 accounts: one have marked as terminate and other i left it blank. 



i have created one more campagin with Create Revoke Task For Unresponded Items on Expiry
set expiry to 1 day and didnt even touched the campagin for 1 day the status is marked as overdue. However it didnt trigger the revoke task.





@iam01 did you run the  below job?

Expire Campaign based on End Date (CAMPAIGNEXPIREDJOB)

[This message has been edited by moderator to disable URL hyperlink]

Regards,
Sumathi Somala

If this reply answered your question, please Accept As Solution and give Kudos.

iam01
Regular Contributor
Regular Contributor

@SumathiSomala  yes i just reran the job  Create Revoke Task For Unresponded Items on Expiry is working as expected.


Create Revoke Task For Certified Item on Expiry: 
I have marked one as work for me and other as terminated. it didnt triggerd any task.

Am getting confused "Create Revoke Task For Certified Item on Expiry: " could you please help me with this option 

iam01_0-1699892979547.png

 

iam01
Regular Contributor
Regular Contributor

Create Revoke Task For Unresponded Items on Expiry : i have observed one more thing, it create the remove task for accounts. However its not setting saviynt user to inactive. Is this the expected behaviour? @SumathiSomala @DaanishJawed 

Did you configured JSON for same ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

In general when certification is locked it will inactive the saviynt user right. Why would I need a json for same.

 

 

I hope you reply for the below:

Create Revoke Task For Unresponded Items on Expiry

Setting user to inactive is not expected , which certification are you referring to ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

iam01
Regular Contributor
Regular Contributor

User manager campaign employment verification, when I opt for termination. It's creating an revoke account task and also inactive the saviynt user.

Hi @iam01 ,

If you opt for Termination at Step1, then it will inactivate the user and create remove account task. That is the expected behavior.

 

Revoke task for account is expected.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.