Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

How to exclude Disable Account and Remove Access from Provisioning Job?

weixiangteoh
New Contributor II
New Contributor II

Hi All,

We having such requirement that for Leaver Scenario, the de-provisioning task shall only processed after EndDate 23:59.

And at the same time, for Provisioning task ( New Account, Update Account, Add Access, Remove Access ) need to be processed immediately for ( New Joiner, Mover, and Access Request related ).

In order to achieve both use cases, we have 2 jobs as below: 

Job 1 :  Provisioning Job run every 5 mins

Advance Query : and (at.TASKTYPE in(1,2,3,8) and at.SECURITYSYSTEM in (6) and at.SOURCE != 'PROVRULE') 

Job 2: EndDate DeProvisioning - run daily 11:59PM

Advance Query : and (at.TASKTYPE in (2,8,14) and at.SOURCE = 'PROVRULE')

However, we facing issue as the De-Provisioning task create as part of Leaver , it get processed by Job 1 and causing early de-provisioning of access.

Let us know how to update Advance query, so that the de-provisioning task will get executed at correct time and it will get ignore by Job 1.

Thanks

Wei

 

5 REPLIES 5

NM
Honored Contributor II
Honored Contributor II

@weixiangteoh you said provisioning still you listed remove access which falls under deprovision access.

You have defined task type 2 in both .. only have it in 2nd job.

weixiangteoh
New Contributor II
New Contributor II

@NM ,

We still need Remove Access being deprovision for Access Request related.

Just for Remove Access related Leaver which trigger by User Update Rules , we put up filter task equal "PROVRULE"

 

Can you share task details from data analyzer query which was got processed from job 1 instead of job 2


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

fuko
Regular Contributor
Regular Contributor

Hi @rushikeshvartak @NM , we did a few rounds of test and concluded that our provisioning jobs with Advance query worked as indented.

For more context:

We chained this job with another Analytic job in a Trigger chain Job.

We discovered that if we put the provision job WSRETRYJOB in the trigger chain, the Advance query is discarded and only the Basic tab is applied.

Since we left the Basic tab blank, every task of every endpoint was executed.

Is this the expected behavior?

this is not expected behavior. Please raise support ticket for defect


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.