Saviynt Forums

markmch · ‎08/28/2024

Hello Saviynt team,

I'm migrating Dynamic Groups from MIM to Saviynt and using Analytics, the Default_Action_For_Analytics to determine whether to "Provision Access" or "Deprovision Access" based on user criteria. The analytics work fine when Saviynt provisions the access. However, if the access is granted in Active Directory and imported into Saviynt, the analytic detects the need for Deprovision Access but doesn’t create the task.

I noticed that in the account_entitlements1 table, entries not provisioned by Saviynt lack an arstaskkey, which might be why the Remove Access task isn't generated.

Here's the query I'm using:

SELECT 
'23' as 'entvaluekey', 
a.accountkey as 'acctKey', 
a.name as 'accName', 
u.userkey as 'userKey', 
CASE 
WHEN ev.entitlement_valuekey IS NULL 
AND u.statuskey = 1 
AND u.companyname = '1000'
AND (a.status = 1 OR a.status = 'Manually Provisioned')
THEN 'Provision Access'
WHEN ev.entitlement_valuekey = '23'
AND (u.statuskey != 1 
OR u.companyname != '1000'
OR (a.status != 1 AND a.status != 'Manually Provisioned'))
THEN 'Deprovision Access'
ELSE NULL
END as Default_Action_For_Analytics
FROM 
users u
JOIN 
user_accounts ua ON u.userkey = ua.userkey
JOIN 
accounts a ON ua.accountkey = a.accountkey
LEFT JOIN 
account_entitlements1 ae ON a.accountkey = ae.accountkey 
LEFT JOIN 
entitlement_values ev ON ae.entitlement_valuekey = ev.entitlement_valuekey 
AND ev.entitlement_valuekey = '23'
WHERE 
(u.statuskey = 1 
AND u.companyname = '1000'
AND (a.status = 1 OR a.status = 'Manually Provisioned'))
OR (ev.entitlement_valuekey = '23')

Could you advise on how to ensure Deprovision Access tasks are generated for access imported from AD?

Thanks

rushikeshvartak · ‎08/28/2024

Enable below options
- Endpoint Level
- Entitlement Type Level

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

markmch · ‎08/28/2024

I added the both configs but still is not triggering the task, note that in the analytic it says 'Task created" but it's not created neither shown as completed.

markmch · ‎08/28/2024

I've tested the scenario where access is granted in AD and then imported into Saviynt. After running the analytics job, no task is created. However, if I manually update the user to meet the rule and then update again to not meet it, the job generates the Remove Access task as expected.

What could be causing the task to only generate after a manual update to the user when the access was granted out of Saviynt?

rushikeshvartak · ‎08/28/2024

delete all report history and validate

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

markmch · ‎08/28/2024

It only works when I delete all the history, and I cannot set NOOFHISTORYTOKEEP=0, how should we do it?

stalluri · ‎08/28/2024

@markmch
Ensure you enable the check box at the Job level and select the action on the analytics.

Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

rushikeshvartak · ‎08/28/2024

Keep base count =1

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

markmch · ‎08/29/2024

I put base count = 1 as shown, but still can only generate Remove task if the Analitycs History is empty.

NM · ‎08/29/2024

Hi @markmch keep base count 1 or add a current time and date column in report.

If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

markmch · ‎08/29/2024

I put base count = 1 as shown, but still can only generate Remove task if the Analitycs History is empty. What should be the name of the date column?

rushikeshvartak · ‎08/29/2024

How are you running report ?
Report needs to be scheduled from Job

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

markmch · ‎08/29/2024

Yes, it's running from a RunAllAnalyticsJob with filter. Number of History to Keep=2, Base Count =1, but still doesn't trigger the Remove Access task if it has history.

markmch · ‎08/29/2024

Job is run manually, will it affect?

NM · ‎08/29/2024

@markmch schedule the job.

If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

stalluri · ‎08/29/2024

@markmch

Are there any duplicate entitlements tasks present the same account and user in the pending tasks? If Yes(discontinue them)
Keep history = 2 and base count = 1
Try adding sub-categories to Analytics and add them at the job level.
You can run the job manually. It will not have any impact.

Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

rushikeshvartak · ‎08/29/2024

Is there any open tasks already ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM · ‎08/29/2024

Hi @markmch , keep history more than 1 and base count 1

And for the column name any column name should work..

If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

markmch · ‎08/29/2024

Thank you all, it worked after adding base count=1, and a current date column in the query.

NM · ‎08/29/2024

Please accept solution and give kudos.

If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

Saviynt Forums

Issue with Default_Action_For_Analytics and Deprovisioning Access for Imported AD Access