Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

identity is not deactivated with user update rule

Go to solution
Roua
Regular Contributor
Regular Contributor

‎09/20/2024 02:44 AM

Hello,
since in user update rule we can schedual the Disable user action, i used a work around solution, so basically we have user.customproperty56 mapped in AD in user_attribute like the following: customproperty56::distinguishedName#String.
we have CP5 = HCM-Status and once this value is "I " for inactive. task to update the account and move it to a new OU is created the new OU :CN=XXXXXX,OU=Exited OutOfOffice,OU=xxxx
and a task to delete the account is scheduled for 90 days. now after running the AD_Provisioning job and full import, i run the following job so i can get this ou updated also in user: 
 customproperty56::distinguishedName#String.
the JOB: 

Roua_0-1726825178998.png

and to disable the identity then after all the updates i made a user update rule first i used the basic config with "contains " OU=Exited OutOfOffice
it didn't work, so i tried with advanced query:
a.customproperty56 LIKE '%OU=Exited OutOfOffice%'
and still didn't get triggered, i made it to be triggered from updating through import and API.

what would be the issue or the fix in this case ? 

Thank you!



Labels:
0 Kudos
10 REPLIES 10

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II

‎09/20/2024 10:40 AM

@Roua ,

You can use sav4sav connector and trigger disable user account. That will disable user.

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

Go to solution
Roua
Regular Contributor
Regular Contributor
In response to Amit_Malik

‎09/23/2024 01:15 AM

Hello @Amit_Malik ,
Thank you for your answer! can you please explain more how to do it? 
so basically what should i configure in the sav4sav connector? is there anything to add to the modify/import json ?
or when creating a user update rule i just put the same conditions but in the action i select sav4sav? like this? 

Roua_0-1727079306227.png

 

0 Kudos

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II
In response to Roua

‎09/23/2024 01:50 AM

in sav4sav connector(REST), you can use disable account JSON and call Saviynt update user API v5/updateUser and set statuskey=0

{ "username": "ABCCC11","statuskey": "0"}

If your sav 4 sav connector is DB based then update user table

 

 

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

Go to solution
Roua
Regular Contributor
Regular Contributor
In response to Amit_Malik

‎09/23/2024 01:55 AM - edited ‎09/23/2024 01:56 AM

so you mean basically sav4sav will disable the identity once the account is disabled? that is why we use disableaccount json ? 
i am thinking if it's possible in modifyuserjson to make the condition of checking if CP56 has OU=exited outofffice then set the statuskey to "0".. do you think it is correct? i will test it but want to understand the logic you gave me 🙂 
do you thin it is a good practice?

0 Kudos

Go to solution
NM
Honored Contributor II
Honored Contributor II

‎09/21/2024 03:28 AM - edited ‎09/21/2024 03:31 AM

Hi @Roua can you share user update rule config

Because you need to include another condition when user 56 is updated and contains the OU name

0 Kudos

Go to solution
stalluri
Valued Contributor
Valued Contributor

‎09/21/2024 05:55 PM - edited ‎09/21/2024 05:56 PM

@Roua 
The condition does not look correct. Try this below rule.
Users.customproperty56 is updated AND Users.customproperty56 like '%OU=Exited OutOfOffice%' AND

Screenshot 2024-09-21 at 7.54.41 PM.png


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

Go to solution
Roua
Regular Contributor
Regular Contributor

‎09/23/2024 01:05 AM

Hello @stalluri  @NM,
Thank you so much for answering! i did as you recommended but still the user update rule is not getting triggered.
i have two user update rules: 

Roua_0-1727078592214.pngRoua_1-1727078625363.png

 

0 Kudos

Go to solution
Roua
Regular Contributor
Regular Contributor

‎09/23/2024 03:51 AM

Hello @Amit_Malik @NM @stalluri ,

i added the following to my modifyuserjson in sav4sav connector: 

 

"UPDATE NEWUSERDATA NU SET NU.statuskey = '0' WHERE EXISTS (SELECT 1 FROM CURRENTUSERS CU WHERE NU.USERNAME = CU.USERNAME AND CU.customproperty56 LIKE '%OU=Exited OutOfOffice%')"

 

it worked since i have the sav4sav updateuser job as last in the job chain. but do you know if this is a good practice? if you confirm so i can keep it as a solution. 

0 Kudos

Go to solution
NM
Honored Contributor II
Honored Contributor II
In response to Roua

‎09/23/2024 04:15 AM

@Roua would be fine but it would be making the user inactive instantly

Go to solution
Roua
Regular Contributor
Regular Contributor
In response to NM

‎09/23/2024 04:20 AM

Thank you for answering
yes i mean once the CP56 has "Exited outofofice" the identity will be disabled an since the sav4sav job is the last to be excuted, all updated would be already made before.
but do you mean that would case a further issue? 

also using the user update rule didn't work

0 Kudos
Copyright © 2024 Khoros, LLC