This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EIC not preventing users to create new accounts when they already have an inactive account

krecpond
New Contributor II
New Contributor II

‎06/14/2023 12:28 PM

There are several targets that EIC manages on which accounts are not deleted. They are retained for various reasons and therefore the apps have a requirement for Saviynt to allow users to request reactivation of their IDs on the targets.

The security system has also been configured to create entitlement tasks only because the New Account pending task needs to be suppressed within Saviynt until the requested entitlements are fully approved. If this configuration is not enabled in Saviynt, then Saviynt will create an ID right away on the target even while entitlements are pending approval (because request type = 3 is configured for autoapproval).

Additionally, the below configuration has also been enabled on the endpoint:

krecpond_0-1686770231540.png

Users are still able to request a new account to be created with the above configurations through the following request workflow:

krecpond_1-1686770538223.png

 

Click on Add New Access which then brings up all the different endpoints avaialble in Saviynt for ARS (for this use case, the ServiceNow ID of the user is inactive and user is trying to request it).

krecpond_2-1686770604559.png

 

When the user click on the endpoint tile, EIC shows the option to request new account.

krecpond_3-1686770663099.png

In the next step, the user is able to provide the same ID as was used before and also request the required entitlements. This would create a pending task with selected entitlements and WSRETRY would fail to process the pending task because there is already an inactive account on the target with the same name.

If the user provides an account name that does not exist on the target, then this ends up with (1) the target having multiple IDs for a single user (2) SSO failing because the new user ID on the target is not present in the enterprise directory to successfully authenticate the user via SSO solution.

Any suggestions on how to overcome this shortfall in Saviynt product?

Thanks.

0 Kudos
4 REPLIES 4

prashantChauhan
Saviynt Employee
Saviynt Employee

‎06/14/2023 07:58 PM

Hi @krecpond 

What is the status of the User Account in play here?

INACTIVE or SUSPENDED FROM IMPORT SERVICE?

Thanks.

0 Kudos

krecpond
New Contributor II
New Contributor II

‎06/15/2023 06:46 AM

The status of the user account is INACTIVE.

0 Kudos

prashantChauhan
Saviynt Employee
Saviynt Employee

‎06/21/2023 02:51 AM

Hi @krecpond 

Please try adding the uniqueness check on the account name rule in your endpoint.

Go to Endpoint->Account Name Rule->Check Unique Account and select Inactive, Manually Suspended.

prashantChauhan_0-1687340859630.png

This will prevent the user to submit the request.

 

0 Kudos

IAM_99
Regular Contributor II
Regular Contributor II

‎06/21/2023 08:13 AM - edited ‎06/22/2023 04:25 AM

Hi @prashantChauhan, This will restrcit only add new Access

Modify button - still allowing user to submit entitlement request for inActive account.

we have Application roles in ARS , with above account name rule configurations, still its allowing to submit request for an inactive account.

Thanks,

suresh

 

0 Kudos
Copyright © 2023 Khoros, LLC