Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Handling Custom Status Transitions and Deletion Tasks

Roua
Regular Contributor
Regular Contributor

Hello everyone,

I’m currently working on a requirement where we’ve added a new status P (Paused), in addition to the existing statuses: Active and Inactive. The setup we’ve implemented is as follows:

When the HCM-status (in our case, CP5) is set to P, the account is disabled using DisableAccountJSON:

{
"msExchExtensionCustomAttribute1": "${Calendar.getInstance().getTime().format('MM/dd/yyyy')}",
"spar-HCMStatus": "${user.customproperty5}",
"deleteAllGroups": "No",
"userAccountControl": "514",
"moveUsertoOU": "${if(user.customproperty5 == 'P'){'OU=TemporaryLeave,OU=Usr,OU=DisabledObjects,DC=x,DCxxxx=local,DC=xx'}}"
}


The identity remains active, and the users.statuskey is set to 1.
The account is moved to a new OU.

However, I’ve encountered a challenge when handling transitions from P (Paused) to I (Inactive). Specifically:

When the HCM-Status changes to Inactive (I), two tasks should be created:
Account Update Task: The account should be disabled and moved to a new OU.
Attribute enabled remains false.
Attribute msExchExtensionCustomAttribute1 is set to the current date in "MM/dd/yyyy" format.
The user is transferred to OU=Exited OutOfOffice,OU=Usr,OU=DisabledObjects,DC=testspar,DC=local,DC=at.
All other attributes remain unchanged.
All Access and Enterprise Roles of the user are removed.
Remove Account Task: Scheduled for 90 days.

I’ve successfully moved the account to the new OU using RemoveAccountJSON:

{
  "removeAction": "${if (task.source == 'PROVRULE'){'SUSPEND'} else {'SUSPEND'}}",
  "msExchExtensionCustomAttribute1": "",
  "spar-HCMStatus": "${user.customproperty5}",
  "userAccountControl": "514",
  "moveUsertoOU": "OU=Exited OutOfOffice,OU=Usr,OU=DisabledObjects,DC=XXXX,DC=local,DC=xx"
}


However, I’m unsure how to trigger a deletion task within 90 days because the RemoveAccountJSON field is set to SUSPEND rather than DELETE.

I attempted to handle the logic within DisableAccountJSON, if else status to checck if I or P, but it only works when moving directly from A (Active) to I (Inactive). When transitioning from P (Paused) to I (Inactive), the task for moving to the new OU is not triggered since Saviynt already identifies the account as disabled during the P (Paused) status.

 

Is there a workaround or alternative approach to triggering the deletion task within 90 days in this scenario? i thought about usinf JOB enhanced query or job to triggere the task but i am not sure how would it work here.

Additionally, the requirement is that if a deletion task is scheduled for 90 days but the user is reactivated before the deletion, the task should be canceled. I tested this in Saviynt, but the task didn’t stop upon reactivation. Is there a way to achieve this?

Lastly, regarding the removal of all Access and Enterprise Roles when a user becomes inactive: Is setting the action in UserUpdateRule to deprovision access - accounts and access sufficient to remove them? If not, what would be the correct approach to ensure this?

I would greatly appreciate any insights, recommendations, or solutions.

Thank you!

35 REPLIES 35

NM
Honored Contributor II
Honored Contributor II

Hi @Roua , if you just want to disable the account immediately you can create a task for disable account .. which will move user to different OU and inactive the account and then add the condition in update rule to delete the account 

 

Remove action should be delete

Now to discontinue the task when user is rehired in global config there is an option to discontinue task on rehire or create an update rule with action discontinue task.

To remove enterprise role you need to create a seperate task.

Roua
Regular Contributor
Regular Contributor

@NM Thank you so much i will explore the solution of the global config and get back ,
but regarding the "create a task for disable account ." can you please explain more because i didn't get it sorry, do how would the task of disabling the account be created, through a user update rule right? but as i mentioned since the account is already disabled in the PAUSED process, saviynt doesn't create a disable task again when i set it to I and i want to disable it and move it. i tried before toe add the actions like this disable account, then deprovision account 
it didn't work for the same reason i mentioned.

NM
Honored Contributor II
Honored Contributor II

Hi @Roua , any issues with update account task?

As the account is already inactive state you just have to mainly move account to a different OU.

Roua
Regular Contributor
Regular Contributor

@NM you mean when there is a task "update account" this should move to the new ou although it is already disabled ? 

we can't do it manually they wanted like that therefore i used suspend because it works to move the account to the ou but i am not sure how to delete it later

NM
Honored Contributor II
Honored Contributor II

Yes enable below config 

Include Inactive User and Accounts in Update Account Rules " this would be available under global configurations->rules.

And try creating update account task which will move the account to different OU when value changes.

NM
Honored Contributor II
Honored Contributor II

@Roua apart from below I could think of one other way to solve the problem

Our dev environment is down .. I can't check the column but you can apply a condition in remove account json.. where if task creation date is equal to 90 days perform delete opration in the same delete account json you can add

rushikeshvartak
All-Star
All-Star
  • You can create user update rule
    • Day 1 - Create update account task to move in OU
    • Day 90 create remove access task

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

Hello @NM @rushikeshvartak ,
the issue of moving the account is solved with using the update account task, thank you 
i will set the remove account json back to delete instead of suspend and try to test with one day settings.

but anyone has an idea about the second question: 
"

 the requirement is that if a deletion task is scheduled for 90 days but the user is reactivated before the deletion, the task should be canceled. I tested this in Saviynt, but the task didn’t stop upon reactivation. Is there a way to achieve this?

Lastly, regarding the removal of all Access and Enterprise Roles when a user becomes inactive: Is setting the action in UserUpdateRule to deprovision access - accounts and access sufficient to remove them? If not, what would be the correct approach to ensure this?

  "

NM
Honored Contributor II
Honored Contributor II

Hi @Roua to discontinue the task you can create a user update rule and add action discontinue pending task.

2) you have to choose action deprovision enterprise role.

Roua
Regular Contributor
Regular Contributor

Hi @NM , 
thank you so much i appreciate it! i will try the solution and get back to you because the min is to wait for 1 day.

another questions please,
i am trying to set the end date on user side but although i have it in modify user json like this: 

  "UPDATE NEWUSERDATA NU SET NU.enddate = CASE WHEN NU.customproperty5 = 'I' THEN CURDATE() ELSE NU.enddate END",

in user import json: 
"enddate": "d:Exitdate~#~char",


it doesn't work when i run the import user job or the update user job 

any ideas ? thank you !

 

Roua
Regular Contributor
Regular Contributor

so like i have to put both deprovision enterprise role and deprovision access or only deprovision enterprise role. ? 

Roua_0-1725274450489.png

 

 

NM
Honored Contributor II
Honored Contributor II

@Roua both

Roua
Regular Contributor
Regular Contributor

@NM  i created a user update rule 

discontinue pending task when user is reactivatedIf Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "A"
Then
(Discontinue Pending Task)

it was triggered
and after changing the status cp5 back to A instead I the process of enabling account and user worked but the task was still in pending tasks : 


any idea ? and also in user update rule i can't choose the kind of task to discontinue 

 

Check below from data anaylzer

select taskkey,startdate,taskdate from arstasks where taskkey =810850


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

Hello @rushikeshvartak ,
i got the following: 

Roua_0-1725348373052.png

 

As per start date it will process today Sep 03


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

Hi @Roua you can't choose the taskk

Did it not discontinue pending task?

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak @NM ,
i waited for one day exactly to see if it will discontinue the task but it didn't
this is still in the pending task 

also for the one that i don't want to discontinue, it wasn't completed although i set it to one day

Roua_0-1725361542531.png

Roua_1-1725361733471.pngRoua_2-1725361780238.png

 

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak @NM 
can you please help me to understand where it went wrong ? 

i have tested two users one to see the full deletion process and another to test the discontinue Task update rule

A) First one (delete account in 1 day):
after runnin the following jobs: AD provisioning - update user-  AD import
nothing changed, the task was resolved but the account remain as manually suspended and not deleted: 

Roua_4-1725363219141.png

Roua_5-1725363309705.png

supposed to be deleted after running the job but: 

Roua_6-1725363368857.png


B) the second test user (discontinue the task😞

Roua_7-1725363481032.png

update user rule was triggered and the accoun went in hte enable process again.
after running the provisioning update ad import jobs: 

Roua_8-1725363569188.png

it wasn't discontinued

Roua_9-1725363615932.png


although this task was made to enable it 
the account got deleted: 

Roua_10-1725363663052.png

 

 

 

indra_hema_95
Regular Contributor III
Regular Contributor III

Hi @Roua use this as checked in global config to discontinue all pending tasks in case of rehire.

indra_hema_95_0-1725364511630.png

 

Regards,

Indra

Roua
Regular Contributor
Regular Contributor

Thank you i will try it @indra_hema_95 ,
one question, would it discontinue all pending tasks? or only the one that is removing the account of a specific user? i am not sure how would this be since we can't specify which task to discontinue 

indra_hema_95
Regular Contributor III
Regular Contributor III

@Roua So in our project we used it actually. In our case the requirement was AD account should get disabled on the day of termination and access also should get removed, but on 30th day the AD account should be deleted. Now the "Deprovision Access" --> "Account only" we kept "execute on" 30. Now in pending task it stays there, and incase that user's status changes to active again or you can say rehire it discontinue that particular user's delete account task.

Regards,

Indra

Roua
Regular Contributor
Regular Contributor

thank you all for your efforts it worked now! i really appreciate it ! 🙂 
@indra_hema_95 @NM @rushikeshvartak 

Can you summaries full solution. As you accepted multiple solution in bit and pieces 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

sure!
Basically for the whole proccess: 

MAIN USER UPDATE RULE MUST BE USED :

I/ P->A
AD Re-Activate on User Re-Activate from UI  / from IMPORT

Spoiler
If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "A"
Then
(Enable User Accounts, attributeConfig : {"executeOn":0})

A->P
pause process the use HCM-Status status will be set to P     ///  pause process the use HCM-Status status will be set to P FROM IMPORT

 

Spoiler
If (Users.customproperty5 isupdated) AND Users.customproperty5 = 'P' AND ( Users.id IN ( SELECT ru.userkey FROM Role_user_account ru, Roles r WHERE ru.rolekey = r.id AND r.role_name = 'BR_F_000010' ) OR Users.id NOT IN ( SELECT ru.userkey FROM Role_user_account ru, Roles r WHERE ru.rolekey = r.id AND r.role_name = 'BR_F_000010' ) )
Then
(Disable User Accounts AND Create Update User Task [Connection: SAP HCM , Object: Update Login ] AND Notify As An Email)

A/P -> I

HCM STATUS Update (I) User transferred to Exited OutOfOffice FROM UI / import

 

 

Spoiler
If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "I"
Then
(Transfer Ownership AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ]attributeConfig : {"executeOn":0} AND Create Update Account Task [Endpoint: Oracle Unified Directory2endpoint, Connection: Oracle Unified Directory2 ]attributeConfig : {"executeOn":0} AND Create Update User Task [Connection: SAP HCM , Object: Update Login ]attributeConfig : {"executeOn":0} AND Deprovision Access [ Endpoints: cda,Oracle Unified Directory2endpoint, Object: Both ]attributeConfig : {"executeOn":1} AND Disable User AccountsattributeConfig : {"executeOn":0})

discontinue pending task when user is reactivated

Spoiler
If Users.HCM Status (Custom Property 5) is updated
AND Users.HCM Status (Custom Property 5) EQUALS "A"
Then
(Discontinue Pending Task AND Create Update Account Task [Endpoint: cda, Connection: AD test2 ]attributeConfig : {"executeOn":0} AND Enable User AccountsattributeConfig : {"executeOn":0})

in global config: 

Roua_0-1725369149119.png

in AD AccountUpdateJson:

Spoiler
to move it to OU based on the status: 

"moveUsertoOU": "${user.customproperty5 == 'P' ? 'OU=TemporaryLeave,OU=Usr,OU=DisabledObjects,DC=xxxx,DC=xxx,DC=xxx' : user.customproperty5 == 'I' ? 'OU=Exited OutOfOffice,OU=Usr,OU=DisabledObjects,DC=xxx,DC=xxxx,DC=xxxx' : ''}"
}

customproperty5 for me is a hcm status mapped to hcm

then i created a chain Job to run the required process for me it was : 
AD provisioning Job
AD user update job
AD import

Roua_1-1725369448951.png

 





 

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak @indra_hema_95 @NM 

another questions please,
i am trying to set the end date on user side but although i have it in modify user json like this: 

  "UPDATE NEWUSERDATA NU SET NU.enddate = CASE WHEN NU.customproperty5 = 'I' THEN CURDATE() ELSE NU.enddate END",

in user import json: 
"enddate": "d:Exitdate~#~char",
it doesn't work when i run the import user job or the update user job 

any ideas ? thank you !

@Roua  I can suggest to split threads in multiple post so it will be easy to find now its becoming long post.

Did you checked logs for above

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

2024-09-03T13:55:23+02:00-ecm-worker--null-frbjs--"enddate",
that's all i found.

should i make a new post regarding this ? 

 

Refer https://forums.saviynt.com/t5/identity-governance/date-conversion-from-dd-mm-yyyy-to-mm-dd-yyyy-in-p...

"UPDATE NEWUSERDATA NU SET NU.enddate = CASE WHEN NU.customproperty5 = 'I' THEN DATE_FORMAT(NU.enddate, '%m/%d/%Y') ELSE NU.enddate END",


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

it didn't work i tested it by setting the status to I and then runing the jobs.
could it be that i have it in the wrong field ? i have the code for this in MODIFYUSERDATAJSONin HCM connection 

Please create new thread with full MODIFYUSERDATAJSON


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

Hello @rushikeshvartak @indra_hema_95 @NM ,

There is an issue when I set the "Disable User Identity" action in the user update rule. Once this action is triggered, the Organizational Unit (OU) can no longer be updated because since it was disabled the Information cannot be modified or have its information updated. Additionally, there’s no way to schedule this action to occur a few days later.

How can I configure the system to delay disabling the identity by X days after the user's status is set to 'Inactive' (I))? This would allow updates to be made..

Roua_0-1725527780807.png

execute on for disable user is not supported Please raise idea ticket if not any


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Dave
Community Manager
Community Manager

Thread Closed - Solution Accepted!

This thread has been closed as the original issue has been successfully resolved.

To maintain a clean and organized forum, we ask that any new issues or questions be posted in a new thread. This helps keep discussions focused and makes it easier for others to search and find relevant solutions.

Thank you for your understanding and cooperation!