Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/11/2024 12:53 AM
We have configured technical rule Birthright groups which every user should get when they enter Saviynt based on a couple of conditions.
If we click preview on the technical rule, we can see that 10436 users should get these birthright groups. This is the same for every birthright group rule we created.
Since there were already a lot of users in our environment when we made these rules, we decided to use the detective checkbox and the Run Detective Rules job to validate these rules for all users already present in our environment.
After the job finished for all groups (we did this seperately for every group) and all tasks were completed, we checked the groups in LDAP and Active Directory to see if 10436 members were added.
Group 1: 10429 members
Group 2: 10433 members
Group 3: 10431 members
Group 4: 10429 members
Group 5: 10435 members
As you can see, not a single group has every member added. We checked the members that were missing and this was completely random for each group. Some groups had member1 when other groups didn't have member1, even though the conditions are all the exact same.
We tried running the detective Rule job again for each group, but this did not fix anything. Also, all tasks were completed and none errored.
Does anyone have a solution for this or know why this is happening?
09/11/2024 02:08 AM - edited 09/11/2024 02:09 AM
Hi @Caesrob were the task created for those users? And also does memeber have account in that endpoint?
09/11/2024 02:42 AM
Hi,
No tasks were created for the missing users.
It also seems that when we do another Job run of the detective rules for a specific birthright group, there is a chance another user might be added to the group but this is not always the case and there are still missing members.
09/11/2024 02:45 AM
@Caesrob are these groups requestable?
Does the member had any task in pending state?
09/11/2024 04:28 AM
I don't see how the groups being requestable has anything to do with it? But yes, they are requestable.
No, none of the users had any tasks in pending state.
09/11/2024 05:11 AM
09/12/2024 12:31 AM
1. Yes, if I add a condition like "Username Equals "(name)" and run the detective rule, that user will get added to the group.
2. All active users have active accounts. We checked this for some users who didn't get provisioned.
3. No, there is no errors (or logs in general) mentioning a specific provisioning of those users to the groups.
09/12/2024 08:42 AM
09/13/2024 01:03 AM
No, even for the student which I added the condition "Username Equals "(name)" for and got executed correctly, there are no records of this happening in the execution trail.
We looked into the execution trail before for other users and they can't be found either, not in Processed and not in errored.
09/13/2024 05:55 AM
Raise support ticket for further troubleshooting
09/13/2024 09:36 AM
@Caesrob
Try the options below.