Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/28/2024 10:14 AM
Hello Saviynt team,
I'm migrating Dynamic Groups from MIM to Saviynt and using Analytics, the Default_Action_For_Analytics to determine whether to "Provision Access" or "Deprovision Access" based on user criteria. The analytics work fine when Saviynt provisions the access. However, if the access is granted in Active Directory and imported into Saviynt, the analytic detects the need for Deprovision Access but doesn’t create the task.
I noticed that in the account_entitlements1 table, entries not provisioned by Saviynt lack an arstaskkey, which might be why the Remove Access task isn't generated.
Here's the query I'm using:
SELECT
'23' as 'entvaluekey',
a.accountkey as 'acctKey',
a.name as 'accName',
u.userkey as 'userKey',
CASE
WHEN ev.entitlement_valuekey IS NULL
AND u.statuskey = 1
AND u.companyname = '1000'
AND (a.status = 1 OR a.status = 'Manually Provisioned')
THEN 'Provision Access'
WHEN ev.entitlement_valuekey = '23'
AND (u.statuskey != 1
OR u.companyname != '1000'
OR (a.status != 1 AND a.status != 'Manually Provisioned'))
THEN 'Deprovision Access'
ELSE NULL
END as Default_Action_For_Analytics
FROM
users u
JOIN
user_accounts ua ON u.userkey = ua.userkey
JOIN
accounts a ON ua.accountkey = a.accountkey
LEFT JOIN
account_entitlements1 ae ON a.accountkey = ae.accountkey
LEFT JOIN
entitlement_values ev ON ae.entitlement_valuekey = ev.entitlement_valuekey
AND ev.entitlement_valuekey = '23'
WHERE
(u.statuskey = 1
AND u.companyname = '1000'
AND (a.status = 1 OR a.status = 'Manually Provisioned'))
OR (ev.entitlement_valuekey = '23')
Could you advise on how to ensure Deprovision Access tasks are generated for access imported from AD?
Thanks
Solved! Go to Solution.
08/28/2024 10:24 AM
08/28/2024 10:41 AM
I added the both configs but still is not triggering the task, note that in the analytic it says 'Task created" but it's not created neither shown as completed.
08/28/2024 11:10 AM
I've tested the scenario where access is granted in AD and then imported into Saviynt. After running the analytics job, no task is created. However, if I manually update the user to meet the rule and then update again to not meet it, the job generates the Remove Access task as expected.
What could be causing the task to only generate after a manual update to the user when the access was granted out of Saviynt?
08/28/2024 11:16 AM
delete all report history and validate
08/28/2024 03:22 PM
It only works when I delete all the history, and I cannot set NOOFHISTORYTOKEEP=0, how should we do it?
08/28/2024 06:17 PM
@markmch
Ensure you enable the check box at the Job level and select the action on the analytics.
08/28/2024 07:08 PM
08/29/2024 08:45 AM
I put base count = 1 as shown, but still can only generate Remove task if the Analitycs History is empty.
08/29/2024 01:10 AM
Hi @markmch keep base count 1 or add a current time and date column in report.
08/29/2024 08:45 AM
I put base count = 1 as shown, but still can only generate Remove task if the Analitycs History is empty. What should be the name of the date column?
08/29/2024 09:52 AM
08/29/2024 10:12 AM
Yes, it's running from a RunAllAnalyticsJob with filter. Number of History to Keep=2, Base Count =1, but still doesn't trigger the Remove Access task if it has history.
08/29/2024 10:17 AM
Job is run manually, will it affect?
08/29/2024 10:19 AM
@markmch schedule the job.
08/29/2024 10:40 AM
08/29/2024 10:32 AM
08/29/2024 08:48 AM
Hi @markmch , keep history more than 1 and base count 1
And for the column name any column name should work..
08/29/2024 11:02 AM
Thank you all, it worked after adding base count=1, and a current date column in the query.
08/29/2024 11:13 AM
Please accept solution and give kudos.