Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/20/2024 02:44 AM
Hello,
since in user update rule we can schedual the Disable user action, i used a work around solution, so basically we have user.customproperty56 mapped in AD in user_attribute like the following: customproperty56::distinguishedName#String.
we have CP5 = HCM-Status and once this value is "I " for inactive. task to update the account and move it to a new OU is created the new OU :CN=XXXXXX,OU=Exited OutOfOffice,OU=xxxx
and a task to delete the account is scheduled for 90 days. now after running the AD_Provisioning job and full import, i run the following job so i can get this ou updated also in user:
customproperty56::distinguishedName#String.
the JOB:
and to disable the identity then after all the updates i made a user update rule first i used the basic config with "contains " OU=Exited OutOfOffice
it didn't work, so i tried with advanced query:
a.customproperty56 LIKE '%OU=Exited OutOfOffice%'
and still didn't get triggered, i made it to be triggered from updating through import and API.
what would be the issue or the fix in this case ?
Thank you!
Solved! Go to Solution.
09/20/2024 10:40 AM
@Roua ,
You can use sav4sav connector and trigger disable user account. That will disable user.
09/23/2024 01:15 AM
Hello @Amit_Malik ,
Thank you for your answer! can you please explain more how to do it?
so basically what should i configure in the sav4sav connector? is there anything to add to the modify/import json ?
or when creating a user update rule i just put the same conditions but in the action i select sav4sav? like this?
09/23/2024 01:50 AM
in sav4sav connector(REST), you can use disable account JSON and call Saviynt update user API v5/updateUser and set statuskey=0
{ "username": "ABCCC11","statuskey": "0"}
If your sav 4 sav connector is DB based then update user table
09/23/2024 01:55 AM - edited 09/23/2024 01:56 AM
so you mean basically sav4sav will disable the identity once the account is disabled? that is why we use disableaccount json ?
i am thinking if it's possible in modifyuserjson to make the condition of checking if CP56 has OU=exited outofffice then set the statuskey to "0".. do you think it is correct? i will test it but want to understand the logic you gave me 🙂
do you thin it is a good practice?
09/21/2024 03:28 AM - edited 09/21/2024 03:31 AM
Hi @Roua can you share user update rule config
Because you need to include another condition when user 56 is updated and contains the OU name
09/21/2024 05:55 PM - edited 09/21/2024 05:56 PM
@Roua
The condition does not look correct. Try this below rule.
Users.customproperty56 is updated AND Users.customproperty56 like '%OU=Exited OutOfOffice%' AND
09/23/2024 01:05 AM
09/23/2024 03:51 AM
Hello @Amit_Malik @NM @stalluri ,
i added the following to my modifyuserjson in sav4sav connector:
"UPDATE NEWUSERDATA NU SET NU.statuskey = '0' WHERE EXISTS (SELECT 1 FROM CURRENTUSERS CU WHERE NU.USERNAME = CU.USERNAME AND CU.customproperty56 LIKE '%OU=Exited OutOfOffice%')"
it worked since i have the sav4sav updateuser job as last in the job chain. but do you know if this is a good practice? if you confirm so i can keep it as a solution.
09/23/2024 04:15 AM
@Roua would be fine but it would be making the user inactive instantly
09/23/2024 04:20 AM
Thank you for answering
yes i mean once the CP56 has "Exited outofofice" the identity will be disabled an since the sav4sav job is the last to be excuted, all updated would be already made before.
but do you mean that would case a further issue?
also using the user update rule didn't work