Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Disable/inactivate the active accounts with inactive users.

Go to solution
Santosh
Regular Contributor
Regular Contributor

‎09/16/2024 08:12 AM

We had a scenario where the internal SaviyntforSaviynt accounts were still active for handful users after termination. I was able to pull their records using/cloning the OOTB analytics "Inactive users with Active Accounts". I was trying to take an action "Accept/Revoke" but after doing so there was no pending task or completed task generated.

Our goal is to make sure all the accounts get inactivated/suspended upon termination. Any leads? how can we take an action on the analytics so accounts can be inactive for inactive users?

Labels:
0 Kudos
14 REPLIES 14

Go to solution
stalluri
Valued Contributor II
Valued Contributor II

‎09/16/2024 08:34 AM

@Santosh 
If you want the tasks to be created for actionable analytics, create a job, and it will create the tasks for all the list of items that showed up in the analytics.

  • You can instantly use user update rules and trigger the tasks for inactive users. WSRETRY job will take the action automatically.
  • You can create actionable analytics and schedule the job. It makes the task and uses the WSRETRY job, and takes the action automatically. 

Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star

‎09/16/2024 08:40 AM


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Santosh
Regular Contributor
Regular Contributor

‎09/16/2024 08:57 AM

@rushikeshvartak @stalluri , I'm getting error with this query,

SELECT
A.name,
A.accountkey as acctKey,
E.endpointkey,
U.username AS 'USERNAME',
U.firstname AS 'USER FIRST NAME',
U.lastname AS 'USER LAST NAME',
CASE
WHEN U.statuskey IS NULL THEN 'NOT AVAILABLE'
WHEN U.statuskey = 0 THEN 'INACTIVE'
WHEN U.statuskey = 1 THEN 'ACTIVE'
ELSE U.statuskey
END 'USER STATUS',
U.termdate AS 'USER TERMINATION DATE',
E.displayname AS 'APPLICATION DISPLAY NAME',
A.NAME AS 'APPLICATION ACCOUNT NAME',
CASE
WHEN A.status IS NULL THEN 'NOT AVAILABLE'
WHEN A.status = 1 THEN 'ACTIVE'
ELSE A.status
END 'ACCOUNT STATUS',
Monthname(U.savupdatedate) AS 'UpdatedMonth',
'Deprovision Access' AS Default_Action_For_Analytics
FROM accounts A,
user_accounts UA,
users U,
endpoints E,
securitysystems S
WHERE A.accountkey = UA.accountkey
AND U.userkey = UA.userkey
AND A.endpointkey = E.endpointkey
AND E.securitysystemkey = S.systemkey
AND U.statuskey = 0
AND E.status = 1
AND A.status IN ( 1, 'MANUALLY PROVISIONED' )
AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )
ORDER BY
U.username,
S.systemname,
E.endpointname;

 

0 Kudos

Go to solution
stalluri
Valued Contributor II
Valued Contributor II
In response to Santosh

‎09/16/2024 09:31 AM

For de-provisioning account you need:

select a.name,a.accountkey as acctKey, endpointkey, 'deprovisionAccount' as Default_Action_For_Analytics from accounts;

Tode-provisioning access you need:

select ae1.entitlement_valuekey as entvaluekey,ev.ENTITLEMENT_VALUE,ae1.accountkey as acctKey, a.name, 'Deprovision Access' as 'Default_Action_For_Analytics' from account_entitlements1 ae1, accounts a , entitlement_values ev where a.accountkey = ae1.accountkey and ev.ENTITLEMENT_VALUEKEY=ae1.ENTITLEMENT_VALUEKEY and a.endpointkey=12;

 

SELECT
A.accountkey as acctKey,
E.endpointkey,
U.userkey AS 'userkey',
'deprovisionAccount' AS Default_Action_For_Analytics
FROM accounts A,
user_accounts UA,
users U,
endpoints E,
securitysystems S
WHERE A.accountkey = UA.accountkey
AND U.userkey = UA.userkey
AND A.endpointkey = E.endpointkey
AND E.securitysystemkey = S.systemkey
AND U.statuskey = 0
AND E.status = 1
AND A.status IN ( 1, 'MANUALLY PROVISIONED' )
AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Santosh

‎09/16/2024 10:06 AM

SELECT A.NAME,
       A.accountkey               AS acctKey,
       E.endpointkey,
       U.username                 AS USERNAME,
       U.firstname                AS USER_FIRST_NAME,
       U.lastname                 AS USER_LAST_NAME,
       CASE
         WHEN U.statuskey IS NULL THEN 'NOT AVAILABLE'
         WHEN U.statuskey = 0 THEN 'INACTIVE'
         WHEN U.statuskey = 1 THEN 'ACTIVE'
         ELSE Cast(U.statuskey AS CHAR)
       END                        AS USER_STATUS,
       U.termdate                 AS USER_TERMINATION_DATE,
       E.displayname              AS APPLICATION_DISPLAY_NAME,
       A.NAME                     AS APPLICATION_ACCOUNT_NAME,
       CASE
         WHEN A.status IS NULL THEN 'NOT AVAILABLE'
         WHEN A.status = 1 THEN 'ACTIVE'
         ELSE Cast(A.status AS CHAR)
       END                        AS ACCOUNT_STATUS,
       Monthname(U.savupdatedate) AS UpdatedMonth,
       'deprovisionAccount'       AS Default_Action_For_Analytics
FROM   accounts A
       JOIN user_accounts UA
         ON A.accountkey = UA.accountkey
       JOIN users U
         ON U.userkey = UA.userkey
       JOIN endpoints E
         ON A.endpointkey = E.endpointkey
       JOIN securitysystems S
         ON E.securitysystemkey = S.systemkey
WHERE  U.statuskey = 0
       AND E.status = 1
       AND ( A.status = 1
              OR A.status = 'MANUALLY PROVISIONED' )
       AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )
ORDER  BY U.username,
          S.systemname,
          E.endpointname; 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Go to solution
Santosh
Regular Contributor
Regular Contributor

‎09/16/2024 10:03 AM

Thank you for your response, I needed users attribute information too, so I added them, and the pending task got generated and I ran the wsretry job for the internal connector but go the following error, I'm guessing the issue with the disableaccountJSON configuration

{"auditDetails":{"call1":[{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}]},"call1":{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}}

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Santosh

‎09/16/2024 10:07 AM

This is issue with your JSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
NM
Honored Contributor II
Honored Contributor II
In response to Santosh

‎09/16/2024 10:07 AM

Hi @Santosh does the endpoint have connection assigned is it a saviynt connection .

Is the connection json populated and connection working

0 Kudos

Go to solution
Santosh
Regular Contributor
Regular Contributor
In response to NM

‎09/16/2024 10:57 AM

Yes, it is the internal Saviynt connection. tested and is successful. We have the JSON configuration for RemoveAccount and DisableAccount. my case matches the 2nd one as we are not deleting the account instead keeping it inactive. Here, we do populate the certain CP and based on that value we have a WD writeback triggering.

The remove account JSON as this part,

"httpParams": "{\"username\":\"${user.username}\",\"statuskey\":\"1\"}",

 

here instead of 0 it is 1. maybe something to look into.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Santosh

‎09/16/2024 11:47 AM

You can write conditional logic


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Santosh
Regular Contributor
Regular Contributor

‎09/16/2024 01:01 PM

I made a little change to the allowed action and added "Disable Account", that took care of the disabling of the internal sav4sav account for inactive users. Thank you all.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Santosh

‎09/16/2024 02:03 PM

Please click the 'Accept As Solution' button on the reply (or replies) that best answers your original question and hit 'Kudos' button 👍.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Santosh

‎09/17/2024 07:50 AM

Can you share changed JSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Santosh
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎09/17/2024 10:24 AM

didn't had to change the JSON, I utilized the above query by @stalluri  added few columns from users table and on allowed action I had it "Disable Account" like the usual ones (revoke, accept, further action). And after running the analytics, took action on it manually. It created the pending task and was fulfilled by provisioning job.

0 Kudos
Copyright © 2024 Khoros, LLC