and more in a single search tool across platforms. Read the announcement here. |
05/12/2023 06:46 AM
Hi Experts,
Please help.
How do we revoke/disable entitlements in user accounts when entitlement access reaches end date?
Regards,
Naveen
Solved! Go to Solution.
05/12/2023 07:03 AM
You can run the below job-
Create Tasks for Future Ent Role Requests (EnterpriseRoleManagementJob)
This will check if any access enddate is reached and will create the remove access task.
Thanks
Darshan
05/12/2023 07:39 AM
Hi Darshan,
Thanks for your reply
Will this pick up entitlements as well or just enterprise role?
I will test though
Regards
Naveen
05/12/2023 07:45 AM
Both
05/12/2023 09:03 AM
Worked, awesome.
Thanks for your help @sk
05/15/2023 02:37 AM
Hi Darshan,
While this works 100% for access where end date is specified upon request, access to entitlements where enddate has been updated/ extended job is not created.
Any ideas why this would be?
05/15/2023 03:03 AM
HI @fouriefb
Yes the job checks in account_entitlements1 table if there is any Ars task key associated with it and checks the end date and create the tasks, if the enddate is being updated by some other job then it will not create any tasks.
Thanks
Darshan
05/15/2023 06:39 AM
Thank you for the response.
We update end date in ARS for the specific Entitlement / Access and a 'Update Access End Date' task is created and completed.
When date and time is reached, no task is created for removal.
How else is this suppose to work? Any ideas how this can be resolved
05/15/2023 06:58 AM
When the date and time is reached, then the above job (EnterpriseRoleManagementJob) needs to be run and task would be created if its associated with ARS task.
Thanks
Darshan
05/15/2023 06:48 AM
Hi @Darshanjain
The query used in the EnterpriseRoleManagementJob is as below. Could you please help and advise what a.arsTask.endDate mean in this query? There is no column as arsTask in the table
Qry to find all Acc Ents that needs to be removed -
select a from Account_entitlements1 a where a.arsTask.endDate < :ed and (a.assignedFromRole > 0 or a.assignedFromRole is null) and (a.assignedFromRoles ='' or a.assignedFromRoles is null)
Log:
Thanks
Naveen
05/15/2023 07:03 AM
Its a internal logic, to explain it checks if the arstaskkey column is updated in Account_entitlements1 and then takes the enddate from table.
select a from Account_entitlements1 a where a.arsTask.endDate < :ed and (a.assignedFromRole > 0 or a.assignedFromRole is null) and (a.assignedFromRoles ='' or a.assignedFromRoles is null)
Thanks
Darshan
05/15/2023 03:29 PM
Hi @Darshanjain
Figured the logic (I think). So the a.arsTask.endDate is not from ACCOUNT_ENTITLEMENT1 table but from ARSTASKS table.
So what happens is as below:
1. If ARS Task to add an entitlement is raised, say without endDate. This creates an entry in ARSTASKS table and also in ACCOUNT_ENTITLEMENT1 table.
TASKKEY in ARSTASKS say = 2433, also ARSTASKKEY in ACCOUNT_ENTITLEMENT1 table as 2433.
2. Now if this entitlement is modified, say end date is added, this created a new entry in ARSTASKS table with new TASKKEY, say 2434 with ENDDATE 2023-05-15 21:30:00.0.
But it updates the record in table ACCOUNT_ENTITLEMENT1 against the previous ARSTASKKEY 2433 and makes ENDDATE = 2023-05-15 21:30:00.0
Now when job runs below query, it takes ARSTASKKEY from ACCOUNT_ENTITLEMENT1 which is 2433 and goes to ARSTASKS table to fetch end date against TASKKEY 2433, which is null...so nothing happens, because in ARSTASKS that modification with end date was stored with new TASKKEY 2434.
select a from Account_entitlements1 a where a.arsTask.endDate < :ed and (a.assignedFromRole > 0 or a.assignedFromRole is null) and (a.assignedFromRoles ='' or a.assignedFromRoles is null)
In my view its a bug, what do you think?
Regards,
Naveen
05/16/2023 02:32 AM
In the second step when enddate is updated with task key 2434 , this will update the entry in account_ent1 tables with taskkey and enddate , so the old taskkey is removed and new one is added so it will reflect the correct end date , are you telling that still the old taskkey is present in account_ent1 table
Thanks
Darshan
05/16/2023 02:36 AM
Hi @Darshanjain
Yes, it does not update the ARSTASKKEY in ACCOUNT_ENTITLEMENTS1 but rather update the endDate against old task key.
We have tested it thoroughly now.
Regards
Naveen
05/16/2023 03:36 AM
It may be a older version which you are using where its not yet fixed, i have checked the recent versions and ars taskkey gets updated in account_ent1 table, you may need to get it updated to newer versions .
Thanks
Darshan
05/16/2023 04:41 AM
Hi @Darshanjain
What version are you on, we are at 2021.
In your version, when end date is updated, does the ARSTASKKEY get updated even when task is waiting for end date to reach?
Thanks
Naveen
05/16/2023 05:13 AM
checked on 3.18 and v23 versions, taskkey gets updated when ws retry runs and enddate is updated in account_ent1 table as already said above.
Note: end date when updated can only be in future end date from now, when you run ws retry or manually complete it it goes and update the ars taskkey and enddate
Thanks
Darshan
05/16/2023 05:20 AM
Then it must be 2021 version issue.
Yes, agreed that enddate can only be in future. But the scenario fails (in 2021) when I want to change this future date, to earlier or later than current future date. In this case new ARSTASK is created in ARSTASKS table with new date, but this date is updated against old taskkey in accounts_entitlement1.
So when the job runs it reads arstaskkey from account_entitlement1 (old taskkey) and reads end date against that taskkey from arstasks table. Due to this remove access task is created as per end date of old task key and not the updated one.
Thanks
05/16/2023 05:26 AM
Yes could be the issue with 2021 , once you update it to 23v you can test it out.