and more in a single search tool across platforms. Read the announcement here. |
02/07/2024 08:18 PM - edited 02/07/2024 08:21 PM
I have a use case to force users to select certain custom attributes (configured as dynamic attributes) when selecting an AD entitlement (This is related to the use case posted earlier at https://forums.saviynt.com/t5/identity-governance/mandate-business-justification-based-on-a-user-sel...). Because the relationship is always from dynamic attribute to entitlements and not the other way round, I created a logical AD app using the endpoints filter on the parent AD connection. The dynamic attributes were then configured on this logical (aka child AD app) for the desired functionality.
Because the security system is common between the parent AD app (which supports new hire use case from HR source for birthright provisioning) and the child AD app, when the request of the child AD app is rejected for the entitlement, the overall status remains pending because the new account request is still pending approval but there is no way to approve it.
See below 2 screenshots:
The workflow configuration is as follows:
If enable Create Task on the security system as Entitlements Only, then the new hire usecase fails because there is no new account pending task for Saviynt to process in order to add the birthright groups. But with Create Task being blank, then the rejection of the request on the child AD app results in the request remaining in Pending status.
Any suggestions on how to go about this??
02/07/2024 08:33 PM
Remove language groovy from "New Account" block
02/08/2024 04:48 AM
This did not help as the request is still in pending status.
02/08/2024 08:54 PM
use brackets
02/09/2024 06:07 AM
Looks like I found the solution. It looks like Saviynt has solved the issue in the latest versions of the product compared to 5.5sp2. Even after configuring Entitlements Only in the create task config of the parent AD security system, new hire AD provisioning works without creating a New Account pending task. This also helps request a new account on the logical AD app. I will continue to test and report if I see any discrepancies.
Thanks for all the inputs.