Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Initial Load Rule Repair

Chamundeeswari
New Contributor III
New Contributor III

Hi,

We have technical rules that creates new accounts as a birth right, let's say AD account and adds a bunch of accesses. When we perform an Initial Load in production, how do we ensure Saviynt doesn't try to create new accounts for existing users who already have an AD account ? And make sure Saviynt is not creating any duplicate "Add Access" tasks for user's who have existing accesses ? Is "Repair Rule to User mappings" the solution for this ?

Thanks and Cheers!

11 REPLIES 11

NM
Honored Contributor II
Honored Contributor II

Hi @Chamundeeswari saviynt handles it automatically.. if account is present it won't create a task.

Chamundeeswari
New Contributor III
New Contributor III

And what about accesses ? Of course the accesses are already existing without the rule. So, will Saviynt automatically recognize them as rule-based and only add additional access that the users do not have ?

NM
Honored Contributor II
Honored Contributor II

indra_hema_95
Regular Contributor III
Regular Contributor III

Hi @Chamundeeswari For initial  data load make sure your account name rule is matching with the existing account names in AD otherwise it can create duplicate accounts. For example if you account name rule is FirstName.LastName(John.Doe) but you have same user in AD with FirstName First Initial+LastName(J.Doe).

For access it doesn't add duplicates if the access is already there.

Regards,

Indra 

rushikeshvartak
All-Star
All-Star
  • Keep rule disabled during initial load. 
  • if rules are enabled, missing user with account will be get created
  • if you have to fix existing all users, keep rules enabled

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Chamundeeswari
New Contributor III
New Contributor III

My plan is to not add any rules in the beginning. Only import users and accounts. Then, after imports, then I will have the rules created and run the HR import one more time to see if any new tasks are created.

That's perfect plan


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

Sounds good.

Chamundeeswari
New Contributor III
New Contributor III

Great! 😄 Could someone explain how "Repair Rule to User mappings"  works in the backend ? It might help a lot going forward. And how have you configured it in your environments ?

stalluri
Valued Contributor II
Valued Contributor II

@Chamundeeswari 

It is a retrofit job that can be used to populate a few values in the Account_entitlement1  table.

  1. https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter05-Policies/Repairing-Rule-U...
  2. https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter02-Identity-Repository/Repai...
  • After running these jobs, the association are getting populated in the account_entitlement1 table (assignedFromRule,assignedFromRole  and assignedFromRoles). If they are populated, then on the next run, if the condition fails, it will remove access. If the new condition matches, it will assign the new access.

Saviynt suggests running these jobs every week.




Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

  • If there any missing mapping on entitlement from where its assigned (assignedfromrule column in account_entitlements1 table) then its get populated from above job.
  • Why its important ?
    • During detective rule - remove existing access if birth rule fails this flag needs assigned from rule value to identify which was assigned previously by rule

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.