This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Deleting accounts from Active Directory which are Inactive

varunpuri
New Contributor III
New Contributor III

‎01-02-2023 12:07 AM

Hi,

We have a requirement where Saviynt is expected to delete such accounts from Active Directory which have been inactive for a period of 30 days.

AD connector documentation provides an attribute on the connection object by the name REMOVEACCOUNTACTION. It also mentions the following line - 
removeAction: Use this attribute to set the action to be performed when accounts are removed. When you do not set to DELETE, the connector performs a hard delete (permanent removal) of account at Active Directory.

The above line says - "when you do not set to DELETE". I have a few questions :

1. What should we then set the removeAccount attribute to if we have to perform the hard delete of AD account ?

2. I checked and found that there is NO option available in the User Update Rules where I can specify the Action as Delete Account
BUT
There is an option available in the analytics section where I can specify the Action as Delete Account. But, will Saviynt actually generate a Delete Account task for Inactive Accounts ? Because I have also seen this functionality that Saviynt does not generate any task for Inactive Accounts.

Appreciate your help.

Best Regards,
Varun

1 person had this problem.
Labels:
0 Kudos
8 REPLIES 8

prajakta
New Contributor III
New Contributor III

‎01-02-2023 02:24 AM - edited ‎01-02-2023 02:40 AM

Regarding #2, you need to configure Action as Deprovision Access on selected Endpoint. Here you can select Accounts or Access  or Both.

This will trigger RemoveAccount Task.

Regarding #1, my observation is  

removeAction : Delete is Hard Deleting the account from AD

removeAction : Suspend is not keeping the account as is. May be this can be leveraged to move and keep the account in DeletedOU.

Since this particular config documentation is confusing, it would be great if someone from Saviynt confirms these configurations and corrects the documentation.

Thanks

0 Kudos

varunpuri
New Contributor III
New Contributor III
In response to prajakta

‎01-02-2023 02:49 AM

Thank You, @prajakta 

Regarding #2 - If I select Deprovision Access as the action, will Saviynt still generate the RemoveAccount task ? because, the account which has to be deleted is an Inactive Account from Saviynt's perspective. Will it consider such an account for task generation ?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to varunpuri

‎01-02-2023 04:27 AM

Account status should be active manually provisioned / suspended then only tasks will be created.

Deprovision access will create access tasks only


Regards,
Rushikesh Vartak
0 Kudos

varunpuri
New Contributor III
New Contributor III

‎01-02-2023 04:34 AM

As per the requirement, when the user identity status changes from Active to Inactive then the corresponding AD account should get disabled - which can be done by configuring Update User task and configuring DisableAccountJSON at the connector level. This will mark the AD account in Saviynt as Inactive.

Additionally, after 30 days of the account getting Inactive, Saviynt should trigger AD account deletion - if the tasks can only be generated for active, manually provisioned, suspended accounts, then how can we achieve this requirement ?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to varunpuri

‎01-02-2023 04:37 AM

Can you try generating tasks ( any task) from actionable report for testing for inactive account 


Regards,
Rushikesh Vartak
0 Kudos

varunpuri
New Contributor III
New Contributor III

‎01-02-2023 05:19 AM

@rushikeshvartak - I tried to generate Delete Account task from actionable analytics. As per Saviynt's documentation, I have used the SQL query as follows :

select a.name,a.accountkey as acctKey, endpointkey, 'deleteAccount' as Default_Action_For_Analytics from accounts a where accountkey = <SOME_ACCOUNT_KEY>

The accountkey which I have specified in the query above is of an Inactive account. The analytics is fetching 1 record as expected. I have run the analytics manually but the task is not getting generated. Below is the snapshot of Analytics Run History.

varunpuri_0-1672665449557.png

The Pending Tasks page does not show any task

varunpuri_1-1672665537350.png

Best Regards,
Varun

0 Kudos

prajakta
New Contributor III
New Contributor III
In response to varunpuri

‎01-02-2023 10:24 PM

Hi @varunpuri ,

Can you try with deprovisionAccount as action.

Thanks,

Prajakta

0 Kudos

varunpuri
New Contributor III
New Contributor III

‎01-03-2023 04:59 AM

Hello @prajakta ,

In your first reply on this post, you mentioned the following :

varunpuri_0-1672750406124.png
This response was not clear to me, but after some hit and try, I figured that the option you are referring to is available in the User Update Rule itself. 
We can configure a User Update Rule and within that provide an Action as Deprovision Access. Corresponding to this Action, Saviynt further provides us the option to select what do we want to deprovision - either Account, Access or both. 
I configured this rule and selected Account as the object to be deprovisioned corresponding to Deprovision Access action and was able to generate the Remove Account task.

Thank You, for your assistance.

Best Regards,
Varun

0 Kudos
Copyright © 2023 Khoros, LLC