Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

How to revoke Entitlement on end date

Naveen_Talanos
Regular Contributor
Regular Contributor

Hi Experts,

Please help.

How do we revoke/disable entitlements in user accounts when entitlement access reaches end date?

Naveen_Talanos_0-1683899156845.png

 

Regards,

Naveen

 

18 REPLIES 18

Darshanjain
Saviynt Employee
Saviynt Employee

Hi @Naveen_Talanos 

You can run the below job- 

Create Tasks for Future Ent Role Requests (EnterpriseRoleManagementJob)

This will check if any access enddate is reached and will create the remove access task.

 

Thanks

Darshan

Hi Darshan,

Thanks for your reply

Will this pick up entitlements as well or just enterprise role?

I will test though

Regards

Naveen

Both


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Naveen_Talanos
Regular Contributor
Regular Contributor

Worked, awesome.

Thanks for your help @sk 

fouriefb
Regular Contributor
Regular Contributor

Hi Darshan,

While this works 100% for access where end date is specified upon request, access to entitlements where enddate has been updated/ extended job is not created.

Any ideas why this would be?

 

HI @fouriefb 

Yes the job checks in account_entitlements1 table if there is any Ars task key associated with it and checks the end date and create the tasks, if the enddate is being updated by some other job then it will not create any tasks.

 

Thanks

Darshan

fouriefb
Regular Contributor
Regular Contributor

Thank you for the response.

We update end date in ARS for the specific Entitlement / Access and a 'Update Access End Date' task is created and completed.

When date and time is reached, no task is created for removal.

How else is this suppose to work? Any ideas how this can be resolved

 

When the date and time is reached, then the above job  (EnterpriseRoleManagementJob) needs to be run and task would be created if its associated with ARS task.

 

Thanks

Darshan

Hi @Darshanjain 

The query used in the EnterpriseRoleManagementJob is as below. Could you please help and advise what a.arsTask.endDate mean in this query? There is no column as arsTask in the table

 

Qry to find all Acc Ents that needs to be removed -

select a from Account_entitlements1 a where a.arsTask.endDate < :ed and (a.assignedFromRole > 0 or a.assignedFromRole is null) and (a.assignedFromRoles ='' or a.assignedFromRoles is null)

 

Naveen_Talanos_0-1684158388399.png

 

Log:

Naveen_Talanos_1-1684158464949.png

Thanks

Naveen

Hi @Naveen_Talanos 

Its a internal logic, to explain it checks if the arstaskkey column is updated in  Account_entitlements1 and then takes the enddate from table.

select a from Account_entitlements1 a where a.arsTask.endDate < :ed and (a.assignedFromRole > 0 or a.assignedFromRole is null) and (a.assignedFromRoles ='' or a.assignedFromRoles is null)

 

Thanks

Darshan

Hi @Darshanjain 

Figured the logic (I think). So the a.arsTask.endDate is not from ACCOUNT_ENTITLEMENT1 table but from ARSTASKS table.

So what happens is as below:

1. If ARS Task to add an entitlement is raised, say without endDate. This creates an entry in ARSTASKS table and also in ACCOUNT_ENTITLEMENT1 table.

TASKKEY in ARSTASKS say = 2433, also ARSTASKKEY in ACCOUNT_ENTITLEMENT1 table as 2433.

2. Now if this entitlement is modified, say end date is added, this created a new entry in ARSTASKS table with new TASKKEY, say 2434 with ENDDATE 2023-05-15 21:30:00.0. 

But it updates the record in table ACCOUNT_ENTITLEMENT1 against the previous ARSTASKKEY 2433 and makes ENDDATE = 2023-05-15 21:30:00.0

Now when job runs below query, it takes ARSTASKKEY from ACCOUNT_ENTITLEMENT1 which is 2433 and goes to ARSTASKS table to fetch end date against TASKKEY 2433, which is null...so nothing happens, because in ARSTASKS that modification with end date was stored with new TASKKEY 2434.

select a from Account_entitlements1 a where a.arsTask.endDate < :ed and (a.assignedFromRole > 0 or a.assignedFromRole is null) and (a.assignedFromRoles ='' or a.assignedFromRoles is null)

In my view its a bug, what do you think?

Regards,

Naveen

Hi @Naveen_Talanos 

In the second step when enddate is updated with task key 2434 , this will update the entry in account_ent1 tables with taskkey and enddate , so the old taskkey is removed and new one is added so it will reflect the correct end date , are you telling that still the old taskkey is present in account_ent1 table 

 

Thanks

Darshan

Hi @Darshanjain 

Yes, it does not update the ARSTASKKEY in ACCOUNT_ENTITLEMENTS1 but rather update the endDate against old task key.

We have tested it thoroughly now.

Regards

Naveen

Hi @Naveen_Talanos 

It may be a older version which you are using where its not yet fixed, i have checked the recent versions and ars taskkey gets updated in account_ent1 table, you may need to get it updated to newer versions .

 

Thanks

Darshan

Hi @Darshanjain 

What version are you on, we are at 2021.

In your version, when end date is updated, does the ARSTASKKEY get updated even when task is waiting for end date to reach?

Thanks

Naveen

Hi @Naveen_Talanos 

checked on 3.18 and v23 versions, taskkey gets updated when ws retry runs and enddate is updated in account_ent1 table as already said above.

Note: end date when updated can only be in future end date from now, when you run ws retry or manually complete it it goes and update the ars taskkey and enddate

 

Thanks

Darshan

Then it must be 2021 version issue.

Yes, agreed that enddate can only be in future. But the scenario fails (in 2021) when I want to change this future date, to earlier or later than current future date. In this case new ARSTASK is created in ARSTASKS table with new date, but this date is updated against old taskkey in accounts_entitlement1.

So when the job runs it reads arstaskkey from account_entitlement1 (old taskkey) and reads end date against that taskkey from arstasks table. Due to this remove access task is created as per end date of old task key and not the updated one.

Thanks

Yes could be the issue with 2021 , once you update it to 23v you can test it out.