Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Provisioning Exchange account after AD account is provisioned

kunal_saxena
Regular Contributor
Regular Contributor

Hello Everyone,

We have a requirement to provision birth right access to Active Directory and Exchange based on certain user attributes. Also, some users get both AD and Exchange, some only get AD and no Email/Exchange, again, based on user attributes. Of course AD provisioning needs to be successfully complete before we trigger Exchange/Email provisioning for obvious reasons. Our design should also cater for failure scenario e.g. AD Provisioning fails for some reason and is successful after retries or may be requires manual intervention where because of some data issue, AD account is created on the platform in exception cases but then Exchange/Email provisioning is triggered from Saviynt and of course everything is consolidated back in Saviynt. We have following 2 design options and looking for feedback on what our fellow Saviynt and IAM experts think.

Design Option 1:

We define AD Provisioning Birthright Technical rule, which is marked as birth right rule so triggered as soon as user identity is created in Saviynt. This technical birthright rule contains the business logic of which users get AD account.

We define Exchange provisioning Technical rule, however this technical rule is NOT marked as birth right so it won't be triggered when user is created. This technical rule contains the business logic of which users get Email/Exchange accounts.

Now we will run a Sav4Sav job (we can run daily or couple of times a day), to check the status for AD End Point being successfully provisioned ('Active' or 'Manually Provisioned') for new users and for such users, we will populate a user profile attribute (one of the custom property, let's call it 'Is AD Provisioned') as 'Yes'. Once this property is populated, we can trigger an User Update Rule based on this custom property to trigger the Exchange Provisioning Technical rule. If AD Provisioning fails, 'Is AD Provisioning' flag won't be populated and Exchange provisioning won't trigger. If for some reason, AD account is created on the platform, it will be reconciled back and next run of Sav4Sav job will populate the custom property, triggering the update rule to trigger Exchange technical rule. Of course, once termination happens, and AD account is purged, that property needs to cleaned up for rehire scenarios etc.

Design Option 2:

We define AD Provisioning Birthright Technical rule, which is marked as birth right rule so triggered as soon as user identity is created in Saviynt. This technical birthright rule contains the business logic of which users get AD account.

We can run an actionable report (again we can schedule this report daily or as needed) and write the logic to check status for AD End Point being successfully provisioned ('Active' or 'Manually Provisioned') for new users and then write the logic to check if any such users require Exchange account in the report itself (since not every user who gets an AD Account will get exchange as per business requirement) and then based on that logic, trigger Exchange provisioning action.

We have implemented design option 1 successfully but looking for suggestions/inputs if design option 2 offers any benefits. And along the same lines, are actionable reports any better design to trigger termination action as oppose to using Rules (user update and technical rules).

Thanks,

Kunal

3 REPLIES 3

pruthvi_t
Saviynt Employee
Saviynt Employee

Hi @kunal_saxena ,

Greetings.

In the design option 2, can you please elaborate on how you're planning to trigger Exchange provisioning option. Because, in actionable analytics you won't be able to trigger new account creation tasks as actionable analytics need 'Acctkey' (account key) to create tasks for account related actions. In this case, account key will not be available as we're still trying to create a new account.

So please elaborate on how you're trying to achieve same from actionable analytics.

Thanks,


Regards,
Pruthvi

kunal_saxena
Regular Contributor
Regular Contributor

Hi @pruthvi_t ,

Thank you for your response, we missed the part around AcctKey and also, we don't see a 'Create Account' action while creating a report/Analytics so Design Option 2 is not viable. Do you see any issue with Design Option 1 and using Sav4Sav job using new REST connector approach to update CP on user profile and triggering update rule, which in turns trigger Technical Rule to provision Exchange account?

Thanks,

Kunal

pruthvi_t
Saviynt Employee
Saviynt Employee

@kunal_saxena ,

Option 1 looks good and since you've implemented it already, please let us know i you've faced any roadblocks as such. 

Thanks,


Regards,
Pruthvi