Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Parent Child Endpoint AD Mappings - Removing access on expiry

chandu_k09
New Contributor III
New Contributor III

‎09/20/2023 09:53 AM - edited ‎09/20/2023 10:09 AM

We have an Active Directory implementation using a parent security system, parent endpoint, and child endpoints approach using endpoint filters. 

Parent Endpoint 

   - Parent account1 -> App1 Entitlement Startdate: 2023-09-20   Enddate: 2023-09-25

Child App1 Endpoint

     - Child account1   -> App1 Entitlement Startdate: 2023-09-20   Enddate: 2023-09-25

We noticed when we request for adding an entitlement through ARS (Add access), the start and end dates are stored in both the parent account and child account. So when the time comes for access expiration, two tasks will get created for Remove Access. One task for Parent and one for child.

Untitled.png

 

When WSRETRY is run, it completes one task from Parent account and removes access in both child and parent. But the child account's remove task remains in pending state with error because the entitlement was already removed.  Error: "Error while delete operation"

Any way we can make it so that only one Remove Task is created? 

0 Kudos
2 REPLIES 2

prasannta
Saviynt Employee
Saviynt Employee

‎09/22/2023 01:48 PM

Hi @chandu_k09 

Can you confirm if the entitlements for both endpoints are pointing to same entitlement? As per your screenshot the entitlements for both endpoints seems to be different. Please clarify if the entitlements are same or different entitlements having parent child relationship?

I am trying to replicate this scenario in my local to replicate the issue and would need more details to proceed further.

Thanks

0 Kudos

chandu_k09
New Contributor III
New Contributor III

‎09/25/2023 12:22 PM

Hi,

They are the same entitlements. Just displayname was not set in one. The first one you see is from Parent endpoint, and second is from the child. Thanks for looking into this. 

0 Kudos
Copyright © 2024 Khoros, LLC