Saviynt Forums

@SumathiSomala For Profile the request option we have marked as dropdown(single) because we have profile prioritization configuration enabled.

@Anu Please check Create Task Action under profile entitlement details page

Keep Create Task Action as No action from dropdown and then try

@SumathiSomala We already have Create Task Action set as No action configured by default for profile entitlement type

@rushikeshvartak We already have an remove access task getting generated for profile. All remove access task gets provisioned successful however only the profile removal task task fails because salesforce doesnot allow removal of profile. Is there an option to just complete this task in Savinyt?

@Anu : You have to handle the logic in your RemoveAccessJSON in such a way that if entitlement type is profile then give some success msg otherwise call your actual remove logic.

Salesforce connector does not have JSONs

@AnuI thought you are using REST connector as per issue description instead of salesforce connector. If not please ignore my response. 

@sk Its a REST based implementation . Can you please share a sample on how the profile task can be handled in removeJSON for task to be just completed in Saviynt without any action in target

If its rest call dummy api and complete task. 
what is siga?

      "Profile": {
            "callOrder": 1,
            "dummyCall": true,
            "stageNumber": 4
        }

Hi @rushikeshvartak As suggested we have added a dummy call in remove Access Json but one of the usecase if failing.

working usecase: When user submits only remove role request it is working as expected.

Not working usecase: when user already has Role A and User submit request for new Role B and remove Role A(In single request). All the Add Access and remove task gets triggered as expected however the newly added Role B 'profile' add access task remains in "new" state with below error.

{"Profile":{"headers":null,"message":[{"message":"unable to obtain exclusive access to this record or 1 records: xxxxxx","errorCode":"UNABLE_TO_LOCK_ROW","fields":[]}],"statusCode":500,"description":null,"status":"Failed"}}

Please note we also have profile prioritization enabled.

Could you please assist on how to fix the same.

Share json

@rushikeshvartak PFA addaccess and remove accessjson

In add access - check if user already have profile if yes dont call add profile api

@rushikeshvartak Thanks for the update. As part of different roles we have different profiles mapped so we cannot have this condition added.

Use Task execution Hierarchy from global config which will remove the profile first then add

Hi @rushikeshvartak  As its a global platform with multiple applications we are not allowed to make any changes to the global configs . Could you please provide another alternate? Below i have provided the failed test case scenario.

Unsuccessful testcase: User submits ADD role(High priority profile entitlement) and REMOVE role (low priority)
Result: Remove Access for profile(low priority) task status is 'No Action Required' hence the Add access profile task remains in 'New' Status.
Error :{"Profile":{"headers":null,"message":[{"message":"unable to obtain exclusive access to this record or 1 records: 00e58000000z9NvAAI","errorCode":"UNABLE_TO_LOCK_ROW","fields":[]}],"statusCode":500,"description":null,"status":"Failed"}}

Successful Testcase: User submits ADD role (low priority profile task) and REMOVE role (high priority)
Result: All the Add Access and Remove Access tasks completes as expected

Solution is global configuration only. This has been implemented in our customer.

You can discontinue task using customquery  job before WSRETRY

@rushikeshvartak Thanks for the response. If we discontinue the task using custom query the task would get completed but the actual profile entitlement would not go from users which means the role also would not get removed. Is there an option to complete the task and have the respective entitlement removed from saviynt so that the role also gets removed?

Enable - Create Dependent task under Endpoint level and validate 

@rushikeshvartak We already have this configuration enabled

Please disable and re-test