We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

ENDPOINTS_FILTER in AD is not removing deleted entitlements in Saviynt

Yaswanth
New Contributor III
New Contributor III

We have defined ENDPOINTS_FILTER on Active Directory connection with initial grouping of few entitlements, and now we would like to remove one of the entitlements.  But, Saviynt is not removing the entitlement from the Endpoint even after running the AD Account and Access Imports with the updated filter.  What is the process to update/remove the original grouping?

Eg:

Initial Endpoints_filter :

"Endpoint A": [

{

"memberOf": [

"CN=Ent_1",

"CN=Ent_2",

"CN=Ent_3"

] } ]

Updated Endpoint_FIlter as below :

"Endpoint A": [

{

"memberOf": [

"CN=Ent_1",

"CN=Ent_3"

] } ]

Issue: "CN=Ent_2" is still visible in the saviynt.

6 REPLIES 6

adarshk
Saviynt Employee
Saviynt Employee

Hi @Yaswanth 

Can you please share the JSON and also confirm the status of CN=Ent_2.


Validate if STATUS THRESHOLD CONFIG has the below line added:
"deleteLinks": true

For ref: https://forums.saviynt.com/t5/identity-governance/endpoints-filter-not-removing-old-entitlements/m-p...

rushikeshvartak
All-Star
All-Star

{
"statusAndThresholdConfig": {
"accountThresholdValue": 10000,
"appAccountThresholdValue": 10000,
"correlateInactiveAccounts":true,
"statusColumn": "customproperty10",
"inactivateAccountsNotInFile" : false,
"activeStatus": [
"true"
],
"deleteLinks": true
}
}


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi,

The removed entitlement is showing as "inactive" in Saviynt with the above configuration, but it is not getting deleted. I am looking for a solution which can delete the entitlement in Saviynt (shoult not be visible) is this achievable?

Thanks,

Yaswanth

Account & Entitlement can't be removed from  Saviynt only link between account and entitlement can be removed.

Refer https://forums.saviynt.com/t5/general-discussions/deleting-entitlements-from-ssm/m-p/2302#M440


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @Yaswanth ,

It’s not possible to hard delete the entitlements once it is created. Once its status change to inactive it will not be available for request as well as for certifications. Inactive status is kind of soft delete in Saviynt.


Pandharinath Mahalle(Paddy)
If this reply answered your question, please Accept As Solution to help other who may have a same problem. Give Kudos 🙂

adarshk
Saviynt Employee
Saviynt Employee

Entitlements can be set to Inactive. Account associations for the same can be removed. 

Thanks,
Adarsh Kulkarni