We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Issue with Remove Access task for profile removal from salesforce

Anu
Regular Contributor
Regular Contributor

We have configured a target salesforce application using the REST Connector. Upon a Role removal a remove access task gets triggered for 'profile' entitlement type. However upon provisioning the task doesnot gets processed as in salesforce profile is an mandatory attribute for any user. 

Due to the profile task not getting processed the user role also doesnt get removed in Saviynt.

Could you please suggest an approach on the Remove access task for 'profile' can be handled in Saviynt so that the role can be removed.

24 REPLIES 24

SumathiSomala
All-Star
All-Star

@Anu What is request-option for entitlement types under endpoint?

 

 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

Anu
Regular Contributor
Regular Contributor

@SumathiSomala For Profile the request option we have marked as dropdown(single) because we have profile prioritization configuration enabled.

@Anu Please check Create Task Action under profile entitlement details page

Keep Create Task Action as No action from dropdown and then try

SumathiSomala_0-1703003152297.png

 

 

Regards,
Sumathi Somala
If this reply answered your question, please Accept As Solution and give Kudos.

Anu
Regular Contributor
Regular Contributor

@SumathiSomala We already have Create Task Action set as No action configured by default for profile entitlement type

rushikeshvartak
All-Star
All-Star

enable below for Ent type - Profile

rushikeshvartak_0-1703004708887.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Anu
Regular Contributor
Regular Contributor

@rushikeshvartak We already have an remove access task getting generated for profile. All remove access task gets provisioned successful however only the profile removal task task fails because salesforce doesnot allow removal of profile. Is there an option to just complete this task in Savinyt?

@Anu : You have to handle the logic in your RemoveAccessJSON in such a way that if entitlement type is profile then give some success msg otherwise call your actual remove logic.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Salesforce connector does not have JSONs


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@AnuI thought you are using REST connector as per issue description instead of salesforce connector. If not please ignore my response. 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Anu
Regular Contributor
Regular Contributor

@sk Its a REST based implementation . Can you please share a sample on how the profile task can be handled in removeJSON for task to be just completed in Saviynt without any action in target

If its rest call dummy api and complete task. 
what is siga?

      "Profile": {
            "callOrder": 1,
            "dummyCall": true,
            "stageNumber": 4
        }

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Anu
Regular Contributor
Regular Contributor

Hi @rushikeshvartak As suggested we have added a dummy call in remove Access Json but one of the usecase if failing.

working usecase: When user submits only remove role request it is working as expected.

Not working usecase: when user already has Role A and User submit request for new Role B and remove Role A(In single request). All the Add Access and remove task gets triggered as expected however the newly added Role B 'profile' add access task remains in "new" state with below error.

{"Profile":{"headers":null,"message":[{"message":"unable to obtain exclusive access to this record or 1 records: xxxxxx","errorCode":"UNABLE_TO_LOCK_ROW","fields":[]}],"statusCode":500,"description":null,"status":"Failed"}}

Please note we also have profile prioritization enabled.

Could you please assist on how to fix the same.

Share json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Anu
Regular Contributor
Regular Contributor

@rushikeshvartak PFA addaccess and remove accessjson

In add access - check if user already have profile if yes dont call add profile api


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Anu
Regular Contributor
Regular Contributor

@rushikeshvartak Thanks for the update. As part of different roles we have different profiles mapped so we cannot have this condition added.

Use Task execution Hierarchy from global config which will remove the profile first then add


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Anu
Regular Contributor
Regular Contributor

Hi @rushikeshvartak  As its a global platform with multiple applications we are not allowed to make any changes to the global configs . Could you please provide another alternate? Below i have provided the failed test case scenario.

Unsuccessful testcase: User submits ADD role(High priority profile entitlement) and REMOVE role (low priority)
Result: Remove Access for profile(low priority) task status is 'No Action Required' hence the Add access profile task remains in 'New' Status.
Error :{"Profile":{"headers":null,"message":[{"message":"unable to obtain exclusive access to this record or 1 records: 00e58000000z9NvAAI","errorCode":"UNABLE_TO_LOCK_ROW","fields":[]}],"statusCode":500,"description":null,"status":"Failed"}}

Successful Testcase: User submits ADD role (low priority profile task) and REMOVE role (high priority)
Result: All the Add Access and Remove Access tasks completes as expected

Solution is global configuration only. This has been implemented in our customer.


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

You can discontinue task using customquery  job before WSRETRY


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Anu
Regular Contributor
Regular Contributor

@rushikeshvartak Thanks for the response. If we discontinue the task using custom query the task would get completed but the actual profile entitlement would not go from users which means the role also would not get removed. Is there an option to complete the task and have the respective entitlement removed from saviynt so that the role also gets removed?

Enable - Create Dependent task under Endpoint level and validate 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Anu
Regular Contributor
Regular Contributor

@rushikeshvartak We already have this configuration enabled

Please disable and re-test


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.