Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/08/2024 04:49 PM
Hi, coming to the community for advice to ask if they've seen this before.
Issue: New Account tasks created where an Inactive Account already exists on the Endpoint
We have an 'AD' type Connection to our OpenLDAP directory. We have Disabled/made Inactive accounts for departed users in the Directory, which show as Inactive in Saviynt. However, it is generating New Account tasks for these Users. (These tasks cannot complete successfully because the account still exists, disabled in OpenLDAP).
The users do fall within the Technical/Provisioning Rule for the account, but as the account is Inactive, we don't think there should be a New Account Task generated.
Setting "Disable New Account Request If Account Already Exists" in the Endpoint, and 'Check Unique Account" Rule of All in the Endpoint Account Name Rule does not prevent creation of these New Account tasks.
This is similar to "New account created for users with inactive account" but not identical, though that issue had no resolution and can no longer be commented, so I am creating a new topic.
We're trying to understand why the New Account tasks are being generated when the Inactive Account already exists on the Endpoint and is still linked to the User. Any suggestions or advice is appreciated.
Many thanks,
Ian
04/08/2024 05:07 PM
Does user is linked to inactive account ?
please share account name rule
04/08/2024 05:43 PM
Hi, thanks for your reply.
Yes, the inactive accounts are still linked, to their original user.
Account Name Rule-
SQL Query: concat('uid=',users.customproperty51,',ou=useraccounts,dc=canterbury,dc=ac,dc=nz')
Special Characters: ,=
We usually don't enforce 'Check Unique Account', but when I tried applying it in our PreProd environment, I could still replicate the New Account task behaviour.
04/08/2024 06:38 PM
04/08/2024 06:51 PM
Only this application, there is a separate Active Directory Endpoint and Connection where it is Inactive accounts are working as intended, no New Account tasks.
Thanks for the suggestion- the production system has never had 'Check Unique' attribute set, I was testing it in PreProd.
04/08/2024 07:07 PM
Share logs once required changes done
04/08/2024 08:58 PM
Are you thinking of anything specific from the logs? They are very verbose.
04/08/2024 05:48 PM
To be clear, customproperty51 here stores the value used as the account uid, and continues to do so for the users with Inactive accounts