Saviynt Forums

Hi Rishi -

This is a REST connector. There is no API specifically for checking for a manager, but the manager would have a Saviynt-managed account in this endpoint if they do exist there. There is only a users api we could call to check to see if user exist and check for error.

Currently when we call the create account API and there is no account in the system corresponding to their manager, the API will fail which requires manual action on our part to then go in and create a new ARS request for their manager to get an account. After that completes, the create account for their direct report will then succeed.

Ideal scenario would be one of the following:

• Detect when the create account user's manager does not have an account in the endpoint, and submit a new ARS for them automatically (we have birthright access). CreateAccount for direct report can live in retry state while the manager's account is created at which point it should complete.
• Detect when the create account user's manager does not have an account in the endpoint and maybe assign them a dummy manager. Not ideal but at least in this case we could delegate a task for a business user to monitor this scenario and submit ARS requests for the manager to get an account. The downside is then they would also need to submit an update request for the direct employee's account to then be updated to the new manager. It is a heavy manual effort and difficult to scale.

What about when this issue is triggered by technical rule as result of a user update? There is no DA in place in this example as it doesn't come from ARS request. A good example of this is we often have cases where a user in this endpoint has a manager change (a new hire who managers others who have accounts in the endpoint is a good example), but the manager does not yet have an account in the endpoint. The user update rule detecting the new manager tries to run and update their manager in the endpoint for their account, but it fails until the manager account is created. 

We have to send the manager value. This is an expense/procurement related application and not having a manager interrupts the approval hierarchy in the application which causes a SOX audit issue.

I think the DA solution could work for ARS-based request (which would be common) but we also have automation scenario through user update rules when user's get new managers. This will fail during their account update if the manager does not already have an account.

#1 - Update Rule --> If manager account is not exists then we should call another rule or maybe custom jar to raise auto approved request to create manager account

@#2  ARS Request - You can put condition that if manager does not have account then don't show application using access query or using dynamic attribute hide all requestable objects (Ents/ Role)

This functionality is not supported as it may lead to compliance issues with the source of the account creation. The creation of Manager account should be handled as part of the business process itself like the other regular account requests are generated.
Alternatively, you can try to increase the task retry count so the task can eventually complete when Manager's account is created. Also, in case there is an option in target system to not allow or fail the account creation if manager is not available.

But can this by referenced by workflow? If so, I could check for null condition, and assign a task to an admin to create the manager account and then approve the request.