Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/20/2023 09:53 AM - edited 09/20/2023 10:09 AM
We have an Active Directory implementation using a parent security system, parent endpoint, and child endpoints approach using endpoint filters.
Parent Endpoint
- Parent account1 -> App1 Entitlement Startdate: 2023-09-20 Enddate: 2023-09-25
Child App1 Endpoint
- Child account1 -> App1 Entitlement Startdate: 2023-09-20 Enddate: 2023-09-25
We noticed when we request for adding an entitlement through ARS (Add access), the start and end dates are stored in both the parent account and child account. So when the time comes for access expiration, two tasks will get created for Remove Access. One task for Parent and one for child.
When WSRETRY is run, it completes one task from Parent account and removes access in both child and parent. But the child account's remove task remains in pending state with error because the entitlement was already removed. Error: "Error while delete operation"
Any way we can make it so that only one Remove Task is created?
09/22/2023 01:48 PM
Hi @chandu_k09
Can you confirm if the entitlements for both endpoints are pointing to same entitlement? As per your screenshot the entitlements for both endpoints seems to be different. Please clarify if the entitlements are same or different entitlements having parent child relationship?
I am trying to replicate this scenario in my local to replicate the issue and would need more details to proceed further.
Thanks
09/25/2023 12:22 PM
Hi,
They are the same entitlements. Just displayname was not set in one. The first one you see is from Parent endpoint, and second is from the child. Thanks for looking into this.