Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

New Account tasks created where an Inactive Account already exists

Ian
New Contributor II
New Contributor II

Hi, coming to the community for advice to ask if they've seen this before.

Issue: New Account tasks created where an Inactive Account already exists on the Endpoint

We have an 'AD' type Connection to our OpenLDAP directory. We have Disabled/made Inactive accounts for departed users in the Directory, which show as Inactive in Saviynt. However, it is generating New Account tasks for these Users. (These tasks cannot complete successfully because the account still exists, disabled in OpenLDAP).

The users do fall within the Technical/Provisioning Rule for the account, but as the account is Inactive, we don't think there should be a New Account Task generated.

Setting "Disable New Account Request If Account Already Exists" in the Endpoint, and 'Check Unique Account" Rule of All in the Endpoint Account Name Rule does not prevent creation of these New Account tasks.

This is similar to "New account created for users with inactive account" but not identical, though that issue had no resolution and can no longer be commented, so I am creating a new topic.

We're trying to understand why the New Account tasks are being generated when the Inactive Account already exists on the Endpoint and is still linked to the User. Any suggestions or advice is appreciated.

Many thanks,

Ian

7 REPLIES 7

rushikeshvartak
All-Star
All-Star

Does user is linked to inactive account ?

please share account name rule


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Ian
New Contributor II
New Contributor II

Hi, thanks for your reply.

Yes, the inactive accounts are still linked, to their original user.

Account Name Rule-

SQL Query: concat('uid=',users.customproperty51,',ou=useraccounts,dc=canterbury,dc=ac,dc=nz')

Special Characters: ,=

We usually don't enforce 'Check Unique Account', but when I tried applying it in our PreProd environment, I could still replicate the New Account task behaviour.

  • Do you see same behavior with other application or is this specific to endpoint ?
  • Delete full account name rule and re-add without check Unique attribute

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Ian
New Contributor II
New Contributor II

Only this application, there is a separate Active Directory Endpoint and Connection where it is Inactive accounts are working as intended, no New Account tasks.

Thanks for the suggestion- the production system has never had 'Check Unique' attribute set, I was testing it in PreProd.

Share logs once required changes done


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Ian
New Contributor II
New Contributor II

Are you thinking of anything specific from the logs? They are very verbose.

Ian
New Contributor II
New Contributor II

To be clear, customproperty51 here stores the value used as the account uid, and continues to do so for the users with Inactive accounts