Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/30/2024 12:38 AM
Hello everyone,
I’m currently working on a requirement where we’ve added a new status P (Paused), in addition to the existing statuses: Active and Inactive. The setup we’ve implemented is as follows:
When the HCM-status (in our case, CP5) is set to P, the account is disabled using DisableAccountJSON:
{
"msExchExtensionCustomAttribute1": "${Calendar.getInstance().getTime().format('MM/dd/yyyy')}",
"spar-HCMStatus": "${user.customproperty5}",
"deleteAllGroups": "No",
"userAccountControl": "514",
"moveUsertoOU": "${if(user.customproperty5 == 'P'){'OU=TemporaryLeave,OU=Usr,OU=DisabledObjects,DC=x,DCxxxx=local,DC=xx'}}"
}
The identity remains active, and the users.statuskey is set to 1.
The account is moved to a new OU.
However, I’ve encountered a challenge when handling transitions from P (Paused) to I (Inactive). Specifically:
When the HCM-Status changes to Inactive (I), two tasks should be created:
Account Update Task: The account should be disabled and moved to a new OU.
Attribute enabled remains false.
Attribute msExchExtensionCustomAttribute1 is set to the current date in "MM/dd/yyyy" format.
The user is transferred to OU=Exited OutOfOffice,OU=Usr,OU=DisabledObjects,DC=testspar,DC=local,DC=at.
All other attributes remain unchanged.
All Access and Enterprise Roles of the user are removed.
Remove Account Task: Scheduled for 90 days.
I’ve successfully moved the account to the new OU using RemoveAccountJSON:
{
"removeAction": "${if (task.source == 'PROVRULE'){'SUSPEND'} else {'SUSPEND'}}",
"msExchExtensionCustomAttribute1": "",
"spar-HCMStatus": "${user.customproperty5}",
"userAccountControl": "514",
"moveUsertoOU": "OU=Exited OutOfOffice,OU=Usr,OU=DisabledObjects,DC=XXXX,DC=local,DC=xx"
}
However, I’m unsure how to trigger a deletion task within 90 days because the RemoveAccountJSON field is set to SUSPEND rather than DELETE.
I attempted to handle the logic within DisableAccountJSON, if else status to checck if I or P, but it only works when moving directly from A (Active) to I (Inactive). When transitioning from P (Paused) to I (Inactive), the task for moving to the new OU is not triggered since Saviynt already identifies the account as disabled during the P (Paused) status.
Is there a workaround or alternative approach to triggering the deletion task within 90 days in this scenario? i thought about usinf JOB enhanced query or job to triggere the task but i am not sure how would it work here.
Additionally, the requirement is that if a deletion task is scheduled for 90 days but the user is reactivated before the deletion, the task should be canceled. I tested this in Saviynt, but the task didn’t stop upon reactivation. Is there a way to achieve this?
Lastly, regarding the removal of all Access and Enterprise Roles when a user becomes inactive: Is setting the action in UserUpdateRule to deprovision access - accounts and access sufficient to remove them? If not, what would be the correct approach to ensure this?
I would greatly appreciate any insights, recommendations, or solutions.
Thank you!
Solved! Go to Solution.
08/30/2024 02:31 AM
Hi @Roua , if you just want to disable the account immediately you can create a task for disable account .. which will move user to different OU and inactive the account and then add the condition in update rule to delete the account
Remove action should be delete
Now to discontinue the task when user is rehired in global config there is an option to discontinue task on rehire or create an update rule with action discontinue task.
To remove enterprise role you need to create a seperate task.
08/30/2024 02:45 AM - edited 08/30/2024 02:46 AM
@NM Thank you so much i will explore the solution of the global config and get back ,
but regarding the "create a task for disable account ." can you please explain more because i didn't get it sorry, do how would the task of disabling the account be created, through a user update rule right? but as i mentioned since the account is already disabled in the PAUSED process, saviynt doesn't create a disable task again when i set it to I and i want to disable it and move it. i tried before toe add the actions like this disable account, then deprovision account
it didn't work for the same reason i mentioned.
08/30/2024 02:55 AM
Hi @Roua , any issues with update account task?
As the account is already inactive state you just have to mainly move account to a different OU.
08/30/2024 03:00 AM - edited 08/30/2024 03:00 AM
@NM you mean when there is a task "update account" this should move to the new ou although it is already disabled ?
we can't do it manually they wanted like that therefore i used suspend because it works to move the account to the ou but i am not sure how to delete it later
08/30/2024 03:11 AM
Yes enable below config
Include Inactive User and Accounts in Update Account Rules " this would be available under global configurations->rules.
And try creating update account task which will move the account to different OU when value changes.
08/30/2024 03:16 AM
@Roua apart from below I could think of one other way to solve the problem
Our dev environment is down .. I can't check the column but you can apply a condition in remove account json.. where if task creation date is equal to 90 days perform delete opration in the same delete account json you can add
08/30/2024 08:06 AM
09/02/2024 02:04 AM
Hello @NM @rushikeshvartak ,
the issue of moving the account is solved with using the update account task, thank you
i will set the remove account json back to delete instead of suspend and try to test with one day settings.
but anyone has an idea about the second question:
"
the requirement is that if a deletion task is scheduled for 90 days but the user is reactivated before the deletion, the task should be canceled. I tested this in Saviynt, but the task didn’t stop upon reactivation. Is there a way to achieve this?
Lastly, regarding the removal of all Access and Enterprise Roles when a user becomes inactive: Is setting the action in UserUpdateRule to deprovision access - accounts and access sufficient to remove them? If not, what would be the correct approach to ensure this?
"
09/02/2024 02:19 AM
Hi @Roua to discontinue the task you can create a user update rule and add action discontinue pending task.
2) you have to choose action deprovision enterprise role.
09/02/2024 03:16 AM
Hi @NM ,
thank you so much i appreciate it! i will try the solution and get back to you because the min is to wait for 1 day.
another questions please,
i am trying to set the end date on user side but although i have it in modify user json like this:
"UPDATE NEWUSERDATA NU SET NU.enddate = CASE WHEN NU.customproperty5 = 'I' THEN CURDATE() ELSE NU.enddate END",
in user import json:
"enddate": "d:Exitdate~#~char",
it doesn't work when i run the import user job or the update user job
any ideas ? thank you !
09/02/2024 03:52 AM - edited 09/02/2024 03:54 AM
so like i have to put both deprovision enterprise role and deprovision access or only deprovision enterprise role. ?
09/02/2024 03:55 AM
@Roua both
09/02/2024 04:07 AM - edited 09/03/2024 04:04 AM
@NM i created a user update rule
discontinue pending task when user is reactivated | If Users.HCM Status (Custom Property 5) is updated AND Users.HCM Status (Custom Property 5) EQUALS "A" Then (Discontinue Pending Task) |
it was triggered
and after changing the status cp5 back to A instead I the process of enabling account and user worked but the task was still in pending tasks :
any idea ? and also in user update rule i can't choose the kind of task to discontinue
09/02/2024 06:22 AM
Check below from data anaylzer
select taskkey,startdate,taskdate from arstasks where taskkey =810850
09/03/2024 12:26 AM
09/03/2024 05:12 AM
As per start date it will process today Sep 03
09/03/2024 01:29 AM
Hi @Roua you can't choose the taskk
Did it not discontinue pending task?
09/03/2024 04:06 AM - edited 09/03/2024 04:09 AM
@rushikeshvartak @NM ,
i waited for one day exactly to see if it will discontinue the task but it didn't
this is still in the pending task
also for the one that i don't want to discontinue, it wasn't completed although i set it to one day
09/03/2024 04:41 AM
@rushikeshvartak @NM
can you please help me to understand where it went wrong ?
i have tested two users one to see the full deletion process and another to test the discontinue Task update rule
A) First one (delete account in 1 day):
after runnin the following jobs: AD provisioning - update user- AD import
nothing changed, the task was resolved but the account remain as manually suspended and not deleted:
supposed to be deleted after running the job but:
B) the second test user (discontinue the task😞
update user rule was triggered and the accoun went in hte enable process again.
after running the provisioning update ad import jobs:
it wasn't discontinued
although this task was made to enable it
the account got deleted:
09/03/2024 04:55 AM
Hi @Roua use this as checked in global config to discontinue all pending tasks in case of rehire.
Regards,
Indra
09/03/2024 04:59 AM
Thank you i will try it @indra_hema_95 ,
one question, would it discontinue all pending tasks? or only the one that is removing the account of a specific user? i am not sure how would this be since we can't specify which task to discontinue
09/03/2024 05:04 AM
@Roua So in our project we used it actually. In our case the requirement was AD account should get disabled on the day of termination and access also should get removed, but on 30th day the AD account should be deleted. Now the "Deprovision Access" --> "Account only" we kept "execute on" 30. Now in pending task it stays there, and incase that user's status changes to active again or you can say rehire it discontinue that particular user's delete account task.
Regards,
Indra
09/03/2024 06:04 AM
thank you all for your efforts it worked now! i really appreciate it ! 🙂
@indra_hema_95 @NM @rushikeshvartak
09/03/2024 06:05 AM
Can you summaries full solution. As you accepted multiple solution in bit and pieces
09/03/2024 06:17 AM
sure!
Basically for the whole proccess:
MAIN USER UPDATE RULE MUST BE USED :
I/ P->A
AD Re-Activate on User Re-Activate from UI / from IMPORT
If Users.HCM Status (Custom Property 5) is updated AND Users.HCM Status (Custom Property 5) EQUALS "A" Then (Enable User Accounts, attributeConfig : {"executeOn":0}) |
A->P
pause process the use HCM-Status status will be set to P /// pause process the use HCM-Status status will be set to P FROM IMPORT
A/P -> I
HCM STATUS Update (I) User transferred to Exited OutOfOffice FROM UI / import
discontinue pending task when user is reactivated
in global config:
in AD AccountUpdateJson:
then i created a chain Job to run the required process for me it was :
AD provisioning Job
AD user update job
AD import
09/03/2024 06:25 AM
@rushikeshvartak @indra_hema_95 @NM
another questions please,
i am trying to set the end date on user side but although i have it in modify user json like this:
"UPDATE NEWUSERDATA NU SET NU.enddate = CASE WHEN NU.customproperty5 = 'I' THEN CURDATE() ELSE NU.enddate END",
in user import json:
"enddate": "d:Exitdate~#~char",
it doesn't work when i run the import user job or the update user job
any ideas ? thank you !
09/03/2024 06:26 AM
@Roua I can suggest to split threads in multiple post so it will be easy to find now its becoming long post.
Did you checked logs for above
09/03/2024 06:30 AM
2024-09-03T13:55:23+02:00-ecm-worker--null-frbjs--"enddate",
that's all i found.
should i make a new post regarding this ?
09/03/2024 06:33 AM
"UPDATE NEWUSERDATA NU SET NU.enddate = CASE WHEN NU.customproperty5 = 'I' THEN DATE_FORMAT(NU.enddate, '%m/%d/%Y') ELSE NU.enddate END",
09/03/2024 06:48 AM
it didn't work i tested it by setting the status to I and then runing the jobs.
could it be that i have it in the wrong field ? i have the code for this in MODIFYUSERDATAJSONin HCM connection
09/03/2024 06:49 AM
Please create new thread with full MODIFYUSERDATAJSON
09/03/2024 06:53 AM
09/05/2024 02:16 AM
Hello @rushikeshvartak @indra_hema_95 @NM ,
There is an issue when I set the "Disable User Identity" action in the user update rule. Once this action is triggered, the Organizational Unit (OU) can no longer be updated because since it was disabled the Information cannot be modified or have its information updated. Additionally, there’s no way to schedule this action to occur a few days later.
How can I configure the system to delay disabling the identity by X days after the user's status is set to 'Inactive' (I))? This would allow updates to be made..
09/05/2024 08:19 AM
execute on for disable user is not supported Please raise idea ticket if not any
09/05/2024 08:30 AM
Thread Closed - Solution Accepted!
This thread has been closed as the original issue has been successfully resolved.
To maintain a clean and organized forum, we ask that any new issues or questions be posted in a new thread. This helps keep discussions focused and makes it easier for others to search and find relevant solutions.
Thank you for your understanding and cooperation!