Saviynt Forums

Caesrob · ‎09/11/2024

We have configured technical rule Birthright groups which every user should get when they enter Saviynt based on a couple of conditions.

If we click preview on the technical rule, we can see that 10436 users should get these birthright groups. This is the same for every birthright group rule we created.

Since there were already a lot of users in our environment when we made these rules, we decided to use the detective checkbox and the Run Detective Rules job to validate these rules for all users already present in our environment.

After the job finished for all groups (we did this seperately for every group) and all tasks were completed, we checked the groups in LDAP and Active Directory to see if 10436 members were added.

Group 1: 10429 members
Group 2: 10433 members
Group 3: 10431 members
Group 4: 10429 members
Group 5: 10435 members

As you can see, not a single group has every member added. We checked the members that were missing and this was completely random for each group. Some groups had member1 when other groups didn't have member1, even though the conditions are all the exact same.

We tried running the detective Rule job again for each group, but this did not fix anything. Also, all tasks were completed and none errored.

Does anyone have a solution for this or know why this is happening?

NM · ‎09/11/2024

Hi @Caesrob were the task created for those users? And also does memeber have account in that endpoint?

Caesrob · ‎09/11/2024

Hi,

No tasks were created for the missing users.

It also seems that when we do another Job run of the detective rules for a specific birthright group, there is a chance another user might be added to the group but this is not always the case and there are still missing members.

NM · ‎09/11/2024

@Caesrob are these groups requestable?

Does the member had any task in pending state?

Caesrob · ‎09/11/2024

I don't see how the groups being requestable has anything to do with it? But yes, they are requestable.

No, none of the users had any tasks in pending state.

rushikeshvartak · ‎09/11/2024

Taking sample user one of them below are question ?
- If you can detective rule based on that does it works ?
- What is status of account for user ?
- Do you see any error in logs ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Caesrob · ‎09/12/2024

1. Yes, if I add a condition like "Username Equals "(name)" and run the detective rule, that user will get added to the group.

2. All active users have active accounts. We checked this for some users who didn't get provisioned.

3. No, there is no errors (or logs in general) mentioning a specific provisioning of those users to the groups.

rushikeshvartak · ‎09/12/2024

Do you see any information in execution trail ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Caesrob · ‎09/13/2024

No, even for the student which I added the condition "Username Equals "(name)" for and got executed correctly, there are no records of this happening in the execution trail.

We looked into the execution trail before for other users and they can't be found either, not in Processed and not in errored.

rushikeshvartak · ‎09/13/2024

Raise support ticket for further troubleshooting

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

stalluri · ‎09/13/2024

@Caesrob
Try the options below.

Run Baseline Application/Re-Baseline Application at endpoint level.
Run the rule Retrofit Job. Repairing-Rule-User-Mappings

Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

Saviynt Forums

Detective technical rules not validating for all users in preview