Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Deleting accounts from Active Directory which are Inactive

varunpuri
Regular Contributor
Regular Contributor

Hi,

We have a requirement where Saviynt is expected to delete such accounts from Active Directory which have been inactive for a period of 30 days.

AD connector documentation provides an attribute on the connection object by the name REMOVEACCOUNTACTION. It also mentions the following line - 
removeAction: Use this attribute to set the action to be performed when accounts are removed. When you do not set to DELETE, the connector performs a hard delete (permanent removal) of account at Active Directory.

The above line says - "when you do not set to DELETE". I have a few questions :

1. What should we then set the removeAccount attribute to if we have to perform the hard delete of AD account ?

2. I checked and found that there is NO option available in the User Update Rules where I can specify the Action as Delete Account
BUT
There is an option available in the analytics section where I can specify the Action as Delete Account. But, will Saviynt actually generate a Delete Account task for Inactive Accounts ? Because I have also seen this functionality that Saviynt does not generate any task for Inactive Accounts.

Appreciate your help.

Best Regards,
Varun

8 REPLIES 8

prajakta
New Contributor III
New Contributor III

Regarding #2, you need to configure Action as Deprovision Access on selected Endpoint. Here you can select Accounts or Access  or Both.

This will trigger RemoveAccount Task.

Regarding #1, my observation is  

removeAction : Delete is Hard Deleting the account from AD

removeAction : Suspend is not keeping the account as is. May be this can be leveraged to move and keep the account in DeletedOU.

Since this particular config documentation is confusing, it would be great if someone from Saviynt confirms these configurations and corrects the documentation.

Thanks

varunpuri
Regular Contributor
Regular Contributor

Thank You, @prajakta 

Regarding #2 - If I select Deprovision Access as the action, will Saviynt still generate the RemoveAccount task ? because, the account which has to be deleted is an Inactive Account from Saviynt's perspective. Will it consider such an account for task generation ?

Account status should be active manually provisioned / suspended then only tasks will be created.

Deprovision access will create access tasks only


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

varunpuri
Regular Contributor
Regular Contributor

As per the requirement, when the user identity status changes from Active to Inactive then the corresponding AD account should get disabled - which can be done by configuring Update User task and configuring DisableAccountJSON at the connector level. This will mark the AD account in Saviynt as Inactive.

Additionally, after 30 days of the account getting Inactive, Saviynt should trigger AD account deletion - if the tasks can only be generated for active, manually provisioned, suspended accounts, then how can we achieve this requirement ?

Can you try generating tasks ( any task) from actionable report for testing for inactive account 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

varunpuri
Regular Contributor
Regular Contributor

@rushikeshvartak - I tried to generate Delete Account task from actionable analytics. As per Saviynt's documentation, I have used the SQL query as follows :

select a.name,a.accountkey as acctKey, endpointkey, 'deleteAccount' as Default_Action_For_Analytics from accounts a where accountkey = <SOME_ACCOUNT_KEY>

The accountkey which I have specified in the query above is of an Inactive account. The analytics is fetching 1 record as expected. I have run the analytics manually but the task is not getting generated. Below is the snapshot of Analytics Run History.

varunpuri_0-1672665449557.png

The Pending Tasks page does not show any task

varunpuri_1-1672665537350.png

Best Regards,
Varun

prajakta
New Contributor III
New Contributor III

Hi @varunpuri ,

Can you try with deprovisionAccount as action.

Thanks,

Prajakta

varunpuri
Regular Contributor
Regular Contributor

Hello @prajakta ,

In your first reply on this post, you mentioned the following :

varunpuri_0-1672750406124.png
This response was not clear to me, but after some hit and try, I figured that the option you are referring to is available in the User Update Rule itself. 
We can configure a User Update Rule and within that provide an Action as Deprovision Access. Corresponding to this Action, Saviynt further provides us the option to select what do we want to deprovision - either Account, Access or both. 
I configured this rule and selected Account as the object to be deprovisioned corresponding to Deprovision Access action and was able to generate the Remove Account task.

Thank You, for your assistance.

Best Regards,
Varun