Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to reuse disabled AD child account?

ASA
Regular Contributor II
Regular Contributor II

‎02/12/2024 04:59 AM

We have following situation:

We have an AD system and are using ENDPOINTS_FILTER in connection, so we get multiple child endpoints.

Now if we remove all entitlements from a child endpoints account, that account is shown as disabled on next import, which is fine. Parent account stays enabled.

Question is, how can we reuse that account via access request. If we enable the child account, it creates a enable account task for parent account, which does nothing, because the account is already enabled. On the other hand we cannot request any entitlements for child account, because it is impossible to request for disabled accounts.

How can we resolve that?

0 Kudos
4 REPLIES 4

AmitM
Valued Contributor
Valued Contributor

‎02/12/2024 06:32 AM

HI @ASA , you can create a default group in AD that you can add for all users of that child app. And , the account will never be removed / inactivated by import.  At the end Parent account is AD account and that itself is active. And, on termination you can remove the access. Also, AD account will anyways will also be affected by termination so that should be fine as well.

Second option is - Instead of inactivating child account , mark it suspended from import service using status and threshold config. Then user child account will be deleted if removed from all groups. One has to request again the new account and access. Saviynt will auto-complete the create account request if account name rule of child app is same as parent. Hence nothing to worry on will it try to create duplicate account etc..

 

You can choose one solution out of two - If you are giving access to AD groups , lets say , for a week (Just in time), then option 1 is better. If group membership is permanent and will only change once a year or very rarely then option 2 is better.

 

Thanks, Amit

Please ACCEPT SOLUTION if it helped.

0 Kudos

ASA
Regular Contributor II
Regular Contributor II
In response to AmitM

‎02/13/2024 01:05 AM

Hi Amit,

thanks for the input!

Regarding option 2: What would we have to set in status threshold config to achieve this? The disabling of child accounts seems to be implicit, as the config is normally working on userAccountControl attribute from AD.

0 Kudos

AmitM
Valued Contributor
Valued Contributor
In response to ASA

‎02/13/2024 01:42 AM - edited ‎02/13/2024 01:44 AM

Hi @ASA , two things in this :

The disabling of child account could be based on status and threshold config InactivateAccountNotInFile , this config will also be used by parent account. This will come into picture when parent account is deleted for parent endpoint OR when all groups are removed for child account. If you set this to false, this will mark child account deleted when your entitlement filter groups are removed from account. And user can request new account and access again. New account auto completes as explained in last post.

Second, Based on userAccountControl . This is for parent account, the actual account itself is disabled this time. And for this user has to re-enable account to get going. 

These two are different scenarios

 

BR,

Amit 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to ASA

‎02/13/2024 08:10 PM

"inactivateAccountsNotInFile": false,


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC