Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Prevent Modify Account Request for Inactive Accounts in ARS

adriencosson
Valued Contributor
Valued Contributor

‎07/15/2024 04:45 AM

Hi folks,

We need to implement the following for Access Request, and we are struggling with the last piece of configuration : 

  • For Active Accounts : 
    • Enable to request for Modify Account Request : Achieved by turning the "Disable Modify Account" option OFF in endpoint
    • Enable to request for Disable Account Request : Achieved by adding "Disable" on State and Status Fields in endpoint
  • For Inactive Accounts : 
    • Enable to request for Enable Account Request : Achieved by enabling "Show Inactive Accounts" in Global Config + adding "Enable" on State and Status Fields in endpoint
    • Prevent from doing Modify Account Request : To be achieved

Because "Show Inactive Accounts" in Global Config is enabled and Modify Account operation too in endpoint, is there a way to prevent Inactive Accounts for having "Modify Account" requests performed ?

Regards,
Adrien COSSON
0 Kudos
8 REPLIES 8

NM
Honored Contributor III
Honored Contributor III

‎07/15/2024 05:42 AM

Hi @adriencosson , ootb it is not possible to restrict inactive user to raise a modify account request but as a workaround what can be done is you can create a dynamic attribute and auto populate the value of account is active and tick "hide in create"


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

rushikeshvartak
All-Star
All-Star

‎07/15/2024 07:30 AM - edited ‎07/15/2024 07:33 AM

You can achieve using dynamic attributes 

https://forums.saviynt.com/t5/identity-governance/in-access-request-user-should-be-shown-entitlement...

for you query will be 

SELECT CASE WHEN a.status=  2 THEN 'You are not authorized to request Please select back button to remove application.' ELSE  'You are authorized to raise request for user.'  END AS id FROM users u,user_accounts ua ,accounts a WHERE u.userkey = '${user.id}' and ua.accountkey=a.accountkey and ua.userkey=u.userkey and a.endpointkey=10 

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

adriencosson
Valued Contributor
Valued Contributor
In response to rushikeshvartak

‎07/15/2024 07:39 AM

Ok @rushikeshvartak ,

So I need to make this attribute significantly visible to ensure end users do not submit the request.

Additional, we need to configure approval workflow to automatically reject the request if it gets submitted with message : 'You are not authorized...', correct ?

Regards,
Adrien COSSON
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to adriencosson

‎07/15/2024 11:12 AM

  • From End User perspective there should be clear message shown
  • hence attribute should be visible to end user . why they are not able to submit request.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

adriencosson
Valued Contributor
Valued Contributor

‎07/15/2024 07:35 AM

Hi @NM ,

If I understand correctly, your workaround is to remove the "Enable" from State and Status Fields and manage it through a dynamic attribute that would help updating the account status during a Modify Account request, right ?

However, whenever an account is Inactive, and you perform a "Modify Account" request, the system considers it as a "New Account" request.

Also, the "Update Account" won't get triggered for an Inactive account, hence we must trigger "Enable Account" at some point.

Regards,
Adrien COSSON
0 Kudos

NM
Honored Contributor III
Honored Contributor III

‎07/15/2024 07:39 AM

Hi @adriencosson , nope we will still require enable in state field as at some point we need to enable it ..

So for inactive account if they try to modify the request we will have a dynamic attribute which is required and will be having SQL query to check if account is active then user can submit the request otherwise ..we can have that check in SQL as it is required it won't allow to submit request..


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'
0 Kudos

adriencosson
Valued Contributor
Valued Contributor
In response to NM

‎07/15/2024 07:44 AM

Got it @NM,

Then how can you prevent end users to submit access request if dynamic attribute does not match, since we cannot have "Validation Condition" for dynamic attribute in Endpoint ?

Regards,
Adrien COSSON
0 Kudos

NM
Honored Contributor III
Honored Contributor III

‎07/15/2024 07:56 AM

@adriencosson, if DA is not automatically field with a value it won't allow inactive user to submit a request.

SQL query in DA will check user account in the same endpoint if it is active or not, if active populate a value otherwise not ..


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'
0 Kudos
Copyright © 2024 Khoros, LLC