Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/16/2024 08:12 AM
We had a scenario where the internal SaviyntforSaviynt accounts were still active for handful users after termination. I was able to pull their records using/cloning the OOTB analytics "Inactive users with Active Accounts". I was trying to take an action "Accept/Revoke" but after doing so there was no pending task or completed task generated.
Our goal is to make sure all the accounts get inactivated/suspended upon termination. Any leads? how can we take an action on the analytics so accounts can be inactive for inactive users?
Solved! Go to Solution.
09/16/2024 08:34 AM
@Santosh
If you want the tasks to be created for actionable analytics, create a job, and it will create the tasks for all the list of items that showed up in the analytics.
09/16/2024 08:40 AM
09/16/2024 08:57 AM
@rushikeshvartak @stalluri , I'm getting error with this query,
SELECT
A.name,
A.accountkey as acctKey,
E.endpointkey,
U.username AS 'USERNAME',
U.firstname AS 'USER FIRST NAME',
U.lastname AS 'USER LAST NAME',
CASE
WHEN U.statuskey IS NULL THEN 'NOT AVAILABLE'
WHEN U.statuskey = 0 THEN 'INACTIVE'
WHEN U.statuskey = 1 THEN 'ACTIVE'
ELSE U.statuskey
END 'USER STATUS',
U.termdate AS 'USER TERMINATION DATE',
E.displayname AS 'APPLICATION DISPLAY NAME',
A.NAME AS 'APPLICATION ACCOUNT NAME',
CASE
WHEN A.status IS NULL THEN 'NOT AVAILABLE'
WHEN A.status = 1 THEN 'ACTIVE'
ELSE A.status
END 'ACCOUNT STATUS',
Monthname(U.savupdatedate) AS 'UpdatedMonth',
'Deprovision Access' AS Default_Action_For_Analytics
FROM accounts A,
user_accounts UA,
users U,
endpoints E,
securitysystems S
WHERE A.accountkey = UA.accountkey
AND U.userkey = UA.userkey
AND A.endpointkey = E.endpointkey
AND E.securitysystemkey = S.systemkey
AND U.statuskey = 0
AND E.status = 1
AND A.status IN ( 1, 'MANUALLY PROVISIONED' )
AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )
ORDER BY
U.username,
S.systemname,
E.endpointname;
09/16/2024 09:31 AM
For de-provisioning account you need:
select a.name,a.accountkey as acctKey, endpointkey, 'deprovisionAccount' as Default_Action_For_Analytics from accounts;
Tode-provisioning access you need:
select ae1.entitlement_valuekey as entvaluekey,ev.ENTITLEMENT_VALUE,ae1.accountkey as acctKey, a.name, 'Deprovision Access' as 'Default_Action_For_Analytics' from account_entitlements1 ae1, accounts a , entitlement_values ev where a.accountkey = ae1.accountkey and ev.ENTITLEMENT_VALUEKEY=ae1.ENTITLEMENT_VALUEKEY and a.endpointkey=12;
SELECT
A.accountkey as acctKey,
E.endpointkey,
U.userkey AS 'userkey',
'deprovisionAccount' AS Default_Action_For_Analytics
FROM accounts A,
user_accounts UA,
users U,
endpoints E,
securitysystems S
WHERE A.accountkey = UA.accountkey
AND U.userkey = UA.userkey
AND A.endpointkey = E.endpointkey
AND E.securitysystemkey = S.systemkey
AND U.statuskey = 0
AND E.status = 1
AND A.status IN ( 1, 'MANUALLY PROVISIONED' )
AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )
09/16/2024 10:06 AM
SELECT A.NAME,
A.accountkey AS acctKey,
E.endpointkey,
U.username AS USERNAME,
U.firstname AS USER_FIRST_NAME,
U.lastname AS USER_LAST_NAME,
CASE
WHEN U.statuskey IS NULL THEN 'NOT AVAILABLE'
WHEN U.statuskey = 0 THEN 'INACTIVE'
WHEN U.statuskey = 1 THEN 'ACTIVE'
ELSE Cast(U.statuskey AS CHAR)
END AS USER_STATUS,
U.termdate AS USER_TERMINATION_DATE,
E.displayname AS APPLICATION_DISPLAY_NAME,
A.NAME AS APPLICATION_ACCOUNT_NAME,
CASE
WHEN A.status IS NULL THEN 'NOT AVAILABLE'
WHEN A.status = 1 THEN 'ACTIVE'
ELSE Cast(A.status AS CHAR)
END AS ACCOUNT_STATUS,
Monthname(U.savupdatedate) AS UpdatedMonth,
'deprovisionAccount' AS Default_Action_For_Analytics
FROM accounts A
JOIN user_accounts UA
ON A.accountkey = UA.accountkey
JOIN users U
ON U.userkey = UA.userkey
JOIN endpoints E
ON A.endpointkey = E.endpointkey
JOIN securitysystems S
ON E.securitysystemkey = S.systemkey
WHERE U.statuskey = 0
AND E.status = 1
AND ( A.status = 1
OR A.status = 'MANUALLY PROVISIONED' )
AND U.username NOT IN ( 'ADMIN', 'AWSADMIN' )
ORDER BY U.username,
S.systemname,
E.endpointname;
09/16/2024 10:03 AM
Thank you for your response, I needed users attribute information too, so I added them, and the pending task got generated and I ran the wsretry job for the internal connector but go the following error, I'm guessing the issue with the disableaccountJSON configuration
{"auditDetails":{"call1":[{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"},{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}]},"call1":{"headers":null,"message":"","statusCode":null,"description":null,"status":"Failed"}}
09/16/2024 10:07 AM
This is issue with your JSON
09/16/2024 10:07 AM
Hi @Santosh does the endpoint have connection assigned is it a saviynt connection .
Is the connection json populated and connection working
09/16/2024 10:57 AM
Yes, it is the internal Saviynt connection. tested and is successful. We have the JSON configuration for RemoveAccount and DisableAccount. my case matches the 2nd one as we are not deleting the account instead keeping it inactive. Here, we do populate the certain CP and based on that value we have a WD writeback triggering.
The remove account JSON as this part,
"httpParams": "{\"username\":\"${user.username}\",\"statuskey\":\"1\"}",
here instead of 0 it is 1. maybe something to look into.
09/16/2024 11:47 AM
You can write conditional logic
09/16/2024 01:01 PM
I made a little change to the allowed action and added "Disable Account", that took care of the disabling of the internal sav4sav account for inactive users. Thank you all.
09/16/2024 02:03 PM
✅Please click the 'Accept As Solution' button on the reply (or replies) that best answers your original question and hit 'Kudos' button 👍.
09/17/2024 07:50 AM
Can you share changed JSON
09/17/2024 10:24 AM
didn't had to change the JSON, I utilized the above query by @stalluri added few columns from users table and on allowed action I had it "Disable Account" like the usual ones (revoke, accept, further action). And after running the analytics, took action on it manually. It created the pending task and was fulfilled by provisioning job.