Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

identity is not deactivated with user update rule

Roua
Regular Contributor
Regular Contributor

Hello,
since in user update rule we can schedual the Disable user action, i used a work around solution, so basically we have user.customproperty56 mapped in AD in user_attribute like the following: customproperty56::distinguishedName#String.
we have CP5 = HCM-Status and once this value is "I " for inactive. task to update the account and move it to a new OU is created the new OU :CN=XXXXXX,OU=Exited OutOfOffice,OU=xxxx
and a task to delete the account is scheduled for 90 days. now after running the AD_Provisioning job and full import, i run the following job so i can get this ou updated also in user: 
 customproperty56::distinguishedName#String.
the JOB: 

Roua_0-1726825178998.png

and to disable the identity then after all the updates i made a user update rule first i used the basic config with "contains " OU=Exited OutOfOffice
it didn't work, so i tried with advanced query:
a.customproperty56 LIKE '%OU=Exited OutOfOffice%'
and still didn't get triggered, i made it to be triggered from updating through import and API.

what would be the issue or the fix in this case ? 

Thank you!



10 REPLIES 10

Amit_Malik
Valued Contributor II
Valued Contributor II

@Roua ,

You can use sav4sav connector and trigger disable user account. That will disable user.

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

Roua
Regular Contributor
Regular Contributor

Hello @Amit_Malik ,
Thank you for your answer! can you please explain more how to do it? 
so basically what should i configure in the sav4sav connector? is there anything to add to the modify/import json ?
or when creating a user update rule i just put the same conditions but in the action i select sav4sav? like this? 

Roua_0-1727079306227.png

 

Amit_Malik
Valued Contributor II
Valued Contributor II

in sav4sav connector(REST), you can use disable account JSON and call Saviynt update user API v5/updateUser and set statuskey=0

{ "username": "ABCCC11","statuskey": "0"}

If your sav 4 sav connector is DB based then update user table

 

 

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

Roua
Regular Contributor
Regular Contributor

so you mean basically sav4sav will disable the identity once the account is disabled? that is why we use disableaccount json ? 
i am thinking if it's possible in modifyuserjson to make the condition of checking if CP56 has OU=exited outofffice then set the statuskey to "0".. do you think it is correct? i will test it but want to understand the logic you gave me 🙂 
do you thin it is a good practice?

NM
Honored Contributor II
Honored Contributor II

Hi @Roua can you share user update rule config

Because you need to include another condition when user 56 is updated and contains the OU name

stalluri
Valued Contributor II
Valued Contributor II

@Roua 
The condition does not look correct. Try this below rule.
Users.customproperty56 is updated AND Users.customproperty56 like '%OU=Exited OutOfOffice%' AND

Screenshot 2024-09-21 at 7.54.41 PM.png


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

Roua
Regular Contributor
Regular Contributor

Hello @stalluri  @NM,
Thank you so much for answering! i did as you recommended but still the user update rule is not getting triggered.
i have two user update rules: 

Roua_0-1727078592214.pngRoua_1-1727078625363.png

 

Roua
Regular Contributor
Regular Contributor

Hello @Amit_Malik @NM @stalluri ,

i added the following to my modifyuserjson in sav4sav connector: 

 

"UPDATE NEWUSERDATA NU SET NU.statuskey = '0' WHERE EXISTS (SELECT 1 FROM CURRENTUSERS CU WHERE NU.USERNAME = CU.USERNAME AND CU.customproperty56 LIKE '%OU=Exited OutOfOffice%')"

 

it worked since i have the sav4sav updateuser job as last in the job chain. but do you know if this is a good practice? if you confirm so i can keep it as a solution. 

NM
Honored Contributor II
Honored Contributor II

@Roua would be fine but it would be making the user inactive instantly

Roua
Regular Contributor
Regular Contributor

Thank you for answering
yes i mean once the CP56 has "Exited outofofice" the identity will be disabled an since the sav4sav job is the last to be excuted, all updated would be already made before.
but do you mean that would case a further issue? 

also using the user update rule didn't work