Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Logical AD app account request remains pending when request is rejected

krecpond
New Contributor III
New Contributor III

‎02/07/2024 08:18 PM - edited ‎02/07/2024 08:21 PM

I have a use case to force users to select certain custom attributes (configured as dynamic attributes) when selecting an AD entitlement (This is related to the use case posted earlier at https://forums.saviynt.com/t5/identity-governance/mandate-business-justification-based-on-a-user-sel...). Because the relationship is always from dynamic attribute to entitlements and not the other way round, I created a logical AD app using the endpoints filter on the parent AD connection. The dynamic attributes were then configured on this logical (aka child AD app) for the desired functionality.

Because the security system is common between the parent AD app (which supports new hire use case from HR source for birthright provisioning) and the child AD app, when the request of the child AD app is rejected for the entitlement, the overall status remains pending because the new account request is still pending approval but there is no way to approve it.

See below 2 screenshots:

krecpond_0-1707365644440.png

krecpond_1-1707365732066.png

The workflow configuration is as follows:

krecpond_2-1707365803428.png

 

If enable Create Task on the security system as Entitlements Only, then the new hire usecase fails because there is no new account pending task for Saviynt to process in order to add the birthright groups. But with Create Task being blank, then the rejection of the request on the child AD app results in the request remaining in Pending status.

Any suggestions on how to go about this??

0 Kudos
4 REPLIES 4

rushikeshvartak
All-Star
All-Star

‎02/07/2024 08:33 PM

Remove language groovy from "New Account" block


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

krecpond
New Contributor III
New Contributor III
In response to rushikeshvartak

‎02/08/2024 04:48 AM

This did not help as the request is still in pending status.

krecpond_0-1707396474460.png

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to krecpond

‎02/08/2024 08:54 PM

use brackets

rushikeshvartak_0-1707454447949.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

krecpond
New Contributor III
New Contributor III

‎02/09/2024 06:07 AM

Looks like I found the solution. It looks like Saviynt has solved the issue in the latest versions of the product compared to 5.5sp2. Even after configuring Entitlements Only in the create task config of the parent AD security system, new hire AD provisioning works without creating a New Account pending task. This also helps request a new account on the logical AD app. I will continue to test and report if I see any discrepancies.

Thanks for all the inputs.

0 Kudos
Copyright © 2024 Khoros, LLC