This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Delayed Provisioning in Birthright Rule

Naveen_Talanos
Regular Contributor
Regular Contributor

‎05/23/2023 02:44 AM

Hi Experts,

Please could you help me on a scenario?

We have on-prem AD where Saviynt provisions all new users as target system. This on-prem AD syncs accounts to AzureAD every 30 minutes.  Then we reconcile AzureAD to get the synced accounts into Saviynt. 

The scenario is that we have to provision SKU as birthright into AzureAD account on any new user creation. But we do not want to create a user in AzureAD but only provision SKU as entitlement to reconciled account once it is synced from On-Prem AD to Azure AD.

Is there a way that we can wait for account to be reconciled before running birthright?

If we trigger birthright before recon then AzureAD connector will try to create a new account, which we don't want.

Please help

Regards,

Naveen

0 Kudos
6 REPLIES 6

sahil
Saviynt Employee
Saviynt Employee

‎05/24/2023 12:50 PM

We can delay the task creation from the User Update Rule but we may not be able to delay the provisioning to Azure AD. 

In the User Update rule you can select the option to delay triggering the tech rule from the below option, though this value is only in days.

sahil_0-1684957820447.png

 


Regards,
Sahil
0 Kudos

rushikeshvartak
All-Star
All-Star

‎05/24/2023 01:05 PM

Try manage time in minutes in sql advanced query 


Regards,
Rushikesh Vartak
0 Kudos

Naveen_Talanos
Regular Contributor
Regular Contributor

‎05/24/2023 01:51 PM

Thanks @sahil and @rushikeshvartak for your reply.

I was thinking it like this... tell me what you think..

Write a custom query to find AzureAD accounts reconciled "Today" which doesn't have entitlement that we want to add. Take owner of that account and update a customproperty in Users table with say "Today()" date. 

Then use UserUpdate rule to check that User customproperty for change and also maybe today's date and provision entitlement against the AzureAD account of that user.

It will be like detective rule.

Your thoughts...?

Regards,

Naveen

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Naveen_Talanos

‎05/24/2023 02:07 PM

use saviynt4saviynt instead of CQ


Regards,
Rushikesh Vartak
0 Kudos

Naveen_Talanos
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎05/24/2023 02:14 PM

Could you please elaborate how would that go? I do have Saviynt4Saviynt enabled and it does show as account in each user. 

How do I use it to check which AzureAD account was reconciled today for the users?

0 Kudos

yogesh
Regular Contributor III
Regular Contributor III

‎05/27/2023 11:08 AM

I personally would just make an actionable analytics that runs every 30 mins, finds all azure accounts without the said entitlement and creates add access task for that entitlement. So this automatically just works on those accounts which are already reconciled to Saviynt.

That way all your logic is in one place, you don't need a birthright rule, or a custom query job, or a Saviynt4Saviynt connection.

0 Kudos
Copyright © 2023 Khoros, LLC