Saviynt Forums

Ian · ‎04/08/2024

Hi, coming to the community for advice to ask if they've seen this before.

Issue: New Account tasks created where an Inactive Account already exists on the Endpoint

We have an 'AD' type Connection to our OpenLDAP directory. We have Disabled/made Inactive accounts for departed users in the Directory, which show as Inactive in Saviynt. However, it is generating New Account tasks for these Users. (These tasks cannot complete successfully because the account still exists, disabled in OpenLDAP).

The users do fall within the Technical/Provisioning Rule for the account, but as the account is Inactive, we don't think there should be a New Account Task generated.

Setting "Disable New Account Request If Account Already Exists" in the Endpoint, and 'Check Unique Account" Rule of All in the Endpoint Account Name Rule does not prevent creation of these New Account tasks.

This is similar to "New account created for users with inactive account" but not identical, though that issue had no resolution and can no longer be commented, so I am creating a new topic.

We're trying to understand why the New Account tasks are being generated when the Inactive Account already exists on the Endpoint and is still linked to the User. Any suggestions or advice is appreciated.

Many thanks,

Ian

rushikeshvartak · ‎04/08/2024

Does user is linked to inactive account ?

please share account name rule

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Ian · ‎04/08/2024

Hi, thanks for your reply.

Yes, the inactive accounts are still linked, to their original user.

Account Name Rule-

SQL Query: concat('uid=',users.customproperty51,',ou=useraccounts,dc=canterbury,dc=ac,dc=nz')

Special Characters: ,=

We usually don't enforce 'Check Unique Account', but when I tried applying it in our PreProd environment, I could still replicate the New Account task behaviour.

rushikeshvartak · ‎04/08/2024

Do you see same behavior with other application or is this specific to endpoint ?
Delete full account name rule and re-add without check Unique attribute

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Ian · ‎04/08/2024

Only this application, there is a separate Active Directory Endpoint and Connection where it is Inactive accounts are working as intended, no New Account tasks.

Thanks for the suggestion- the production system has never had 'Check Unique' attribute set, I was testing it in PreProd.

rushikeshvartak · ‎04/08/2024

Share logs once required changes done

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Ian · ‎04/08/2024

Are you thinking of anything specific from the logs? They are very verbose.

Ian · ‎04/08/2024

To be clear, customproperty51 here stores the value used as the account uid, and continues to do so for the users with Inactive accounts