Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Delayed Provisioning in Birthright Rule

Naveen_Talanos
Regular Contributor
Regular Contributor

Hi Experts,

Please could you help me on a scenario?

We have on-prem AD where Saviynt provisions all new users as target system. This on-prem AD syncs accounts to AzureAD every 30 minutes.  Then we reconcile AzureAD to get the synced accounts into Saviynt. 

The scenario is that we have to provision SKU as birthright into AzureAD account on any new user creation. But we do not want to create a user in AzureAD but only provision SKU as entitlement to reconciled account once it is synced from On-Prem AD to Azure AD.

Is there a way that we can wait for account to be reconciled before running birthright?

If we trigger birthright before recon then AzureAD connector will try to create a new account, which we don't want.

Please help

Regards,

Naveen

6 REPLIES 6

SB
Saviynt Employee
Saviynt Employee

We can delay the task creation from the User Update Rule but we may not be able to delay the provisioning to Azure AD. 

In the User Update rule you can select the option to delay triggering the tech rule from the below option, though this value is only in days.

sahil_0-1684957820447.png

 


Regards,
Sahil

rushikeshvartak
All-Star
All-Star

Try manage time in minutes in sql advanced query 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Naveen_Talanos
Regular Contributor
Regular Contributor

Thanks @SB and @rushikeshvartak for your reply.

I was thinking it like this... tell me what you think..

Write a custom query to find AzureAD accounts reconciled "Today" which doesn't have entitlement that we want to add. Take owner of that account and update a customproperty in Users table with say "Today()" date. 

Then use UserUpdate rule to check that User customproperty for change and also maybe today's date and provision entitlement against the AzureAD account of that user.

It will be like detective rule.

Your thoughts...?

Regards,

Naveen

use saviynt4saviynt instead of CQ


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Could you please elaborate how would that go? I do have Saviynt4Saviynt enabled and it does show as account in each user. 

How do I use it to check which AzureAD account was reconciled today for the users?

yogesh
Regular Contributor III
Regular Contributor III

I personally would just make an actionable analytics that runs every 30 mins, finds all azure accounts without the said entitlement and creates add access task for that entitlement. So this automatically just works on those accounts which are already reconciled to Saviynt.

That way all your logic is in one place, you don't need a birthright rule, or a custom query job, or a Saviynt4Saviynt connection.