Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Disable/inactivate the active accounts with inactive users.

Santosh
Regular Contributor
Regular Contributor

We had a scenario where the internal SaviyntforSaviynt accounts were still active for handful users after termination. I was able to pull their records using/cloning the OOTB analytics "Inactive users with Active Accounts". I was trying to take an action "Accept/Revoke" but after doing so there was no pending task or completed task generated.

Our goal is to make sure all the accounts get inactivated/suspended upon termination. Any leads? how can we take an action on the analytics so accounts can be inactive for inactive users?

14 REPLIES 14

stalluri
Valued Contributor II
Valued Contributor II

@Santosh 
If you want the tasks to be created for actionable analytics, create a job, and it will create the tasks for all the list of items that showed up in the analytics.

  • You can instantly use user update rules and trigger the tasks for inactive users. WSRETRY job will take the action automatically.
  • You can create actionable analytics and schedule the job. It makes the task and uses the WSRETRY job, and takes the action automatically. 

Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

rushikeshvartak
All-Star
All-Star

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Santosh
Regular Contributor
Regular Contributor

@rushikeshvartak @stalluri , I'm getting error with this query,

SELECT
A.name,
A.accountkey as acctKey,
E.endpointkey,
U.username AS 'USERNAME',
U.firstname AS 'USER FIRST NAME',
U.lastname AS 'USER LAST NAME',
CASE
WHEN U.statuskey IS NULL THEN 'NOT AVAILABLE'
WHEN U.statuskey = 0 THEN 'INACTIVE'
WHEN U.statuskey = 1 THEN 'ACTIVE'
ELSE U.statuskey
END 'USER STATUS',
U.termdate AS 'USER TERMINATION DATE',
E.displayname AS 'APPLICATION DISPLAY NAME',
A.NAME AS 'APPLICATION ACCOUNT NAME',
CASE
WHEN A.status IS NULL THEN 'NOT AVAILABLE'
WHEN A.status = 1 THEN 'ACTIVE'
ELSE A.status
END 'ACCOUNT STATUS',
Monthname(U.savupdatedate) AS 'UpdatedMonth',
'Deprovision Access' AS Default_Action_For_Analytics
FROM accounts A,
user_accounts UA,
users U,
endpoints E,
securitysystems S
WHERE A.accountkey = UA.accountkey
AND U.userkey = UA.userkey
AND A.endpointkey = E.endpointkey
AND E.securitysystemkey = S.systemkey
AND U.statuskey = 0
AND E.status = 1
AND A.status IN ( 1, 'MANUALLY PROVISIONED' )
AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )
ORDER BY
U.username,
S.systemname,
E.endpointname;

 

stalluri
Valued Contributor II
Valued Contributor II

For de-provisioning account you need:

select a.name,a.accountkey as acctKey, endpointkey, 'deprovisionAccount' as Default_Action_For_Analytics from accounts;

Tode-provisioning access you need:

select ae1.entitlement_valuekey as entvaluekey,ev.ENTITLEMENT_VALUE,ae1.accountkey as acctKey, a.name, 'Deprovision Access' as 'Default_Action_For_Analytics' from account_entitlements1 ae1, accounts a , entitlement_values ev where a.accountkey = ae1.accountkey and ev.ENTITLEMENT_VALUEKEY=ae1.ENTITLEMENT_VALUEKEY and a.endpointkey=12;

 

SELECT
A.accountkey as acctKey,
E.endpointkey,
U.userkey AS 'userkey',
'deprovisionAccount' AS Default_Action_For_Analytics
FROM accounts A,
user_accounts UA,
users U,
endpoints E,
securitysystems S
WHERE A.accountkey = UA.accountkey
AND U.userkey = UA.userkey
AND A.endpointkey = E.endpointkey
AND E.securitysystemkey = S.systemkey
AND U.statuskey = 0
AND E.status = 1
AND A.status IN ( 1, 'MANUALLY PROVISIONED' )
AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

SELECT A.NAME,
       A.accountkey               AS acctKey,
       E.endpointkey,
       U.username                 AS USERNAME,
       U.firstname                AS USER_FIRST_NAME,
       U.lastname                 AS USER_LAST_NAME,
       CASE
         WHEN U.statuskey IS NULL THEN 'NOT AVAILABLE'
         WHEN U.statuskey = 0 THEN 'INACTIVE'
         WHEN U.statuskey = 1 THEN 'ACTIVE'
         ELSE Cast(U.statuskey AS CHAR)
       END                        AS USER_STATUS,
       U.termdate                 AS USER_TERMINATION_DATE,
       E.displayname              AS APPLICATION_DISPLAY_NAME,
       A.NAME                     AS APPLICATION_ACCOUNT_NAME,
       CASE
         WHEN A.status IS NULL THEN 'NOT AVAILABLE'
         WHEN A.status = 1 THEN 'ACTIVE'
         ELSE Cast(A.status AS CHAR)
       END                        AS ACCOUNT_STATUS,
       Monthname(U.savupdatedate) AS UpdatedMonth,
       'deprovisionAccount'       AS Default_Action_For_Analytics
FROM   accounts A
       JOIN user_accounts UA
         ON A.accountkey = UA.accountkey
       JOIN users U
         ON U.userkey = UA.userkey
       JOIN endpoints E
         ON A.endpointkey = E.endpointkey
       JOIN securitysystems S
         ON E.securitysystemkey = S.systemkey
WHERE  U.statuskey = 0
       AND E.status = 1
       AND ( A.status = 1
              OR A.status = 'MANUALLY PROVISIONED' )
       AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )
ORDER  BY U.username,
          S.systemname,
          E.endpointname; 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Santosh
Regular Contributor
Regular Contributor

Thank you for your response, I needed users attribute information too, so I added them, and the pending task got generated and I ran the wsretry job for the internal connector but go the following error, I'm guessing the issue with the disableaccountJSON configuration

{"auditDetails":{"call1":[{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}]},"call1":{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}}

This is issue with your JSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

Hi @Santosh does the endpoint have connection assigned is it a saviynt connection .

Is the connection json populated and connection working

Santosh
Regular Contributor
Regular Contributor

Yes, it is the internal Saviynt connection. tested and is successful. We have the JSON configuration for RemoveAccount and DisableAccount. my case matches the 2nd one as we are not deleting the account instead keeping it inactive. Here, we do populate the certain CP and based on that value we have a WD writeback triggering.

The remove account JSON as this part,

"httpParams": "{\"username\":\"${user.username}\",\"statuskey\":\"1\"}",

 

here instead of 0 it is 1. maybe something to look into.

You can write conditional logic


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Santosh
Regular Contributor
Regular Contributor

I made a little change to the allowed action and added "Disable Account", that took care of the disabling of the internal sav4sav account for inactive users. Thank you all.

Please click the 'Accept As Solution' button on the reply (or replies) that best answers your original question and hit 'Kudos' button 👍.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Can you share changed JSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

didn't had to change the JSON, I utilized the above query by @stalluri  added few columns from users table and on allowed action I had it "Disable Account" like the usual ones (revoke, accept, further action). And after running the analytics, took action on it manually. It created the pending task and was fulfilled by provisioning job.