Hello Everyone,
We have a requirement to provision birth right access to Active Directory and Exchange based on certain user attributes. Also, some users get both AD and Exchange, some only get AD and no Email/Exchange, again, based on user attributes. Of course AD provisioning needs to be successfully complete before we trigger Exchange/Email provisioning for obvious reasons. Our design should also cater for failure scenario e.g. AD Provisioning fails for some reason and is successful after retries or may be requires manual intervention where because of some data issue, AD account is created on the platform in exception cases but then Exchange/Email provisioning is triggered from Saviynt and of course everything is consolidated back in Saviynt. We have following 2 design options and looking for feedback on what our fellow Saviynt and IAM experts think.
Design Option 1:
We define AD Provisioning Birthright Technical rule, which is marked as birth right rule so triggered as soon as user identity is created in Saviynt. This technical birthright rule contains the business logic of which users get AD account.
We define Exchange provisioning Technical rule, however this technical rule is NOT marked as birth right so it won't be triggered when user is created. This technical rule contains the business logic of which users get Email/Exchange accounts.
Now we will run a Sav4Sav job (we can run daily or couple of times a day), to check the status for AD End Point being successfully provisioned ('Active' or 'Manually Provisioned') for new users and for such users, we will populate a user profile attribute (one of the custom property, let's call it 'Is AD Provisioned') as 'Yes'. Once this property is populated, we can trigger an User Update Rule based on this custom property to trigger the Exchange Provisioning Technical rule. If AD Provisioning fails, 'Is AD Provisioning' flag won't be populated and Exchange provisioning won't trigger. If for some reason, AD account is created on the platform, it will be reconciled back and next run of Sav4Sav job will populate the custom property, triggering the update rule to trigger Exchange technical rule. Of course, once termination happens, and AD account is purged, that property needs to cleaned up for rehire scenarios etc.
Design Option 2:
We define AD Provisioning Birthright Technical rule, which is marked as birth right rule so triggered as soon as user identity is created in Saviynt. This technical birthright rule contains the business logic of which users get AD account.
We can run an actionable report (again we can schedule this report daily or as needed) and write the logic to check status for AD End Point being successfully provisioned ('Active' or 'Manually Provisioned') for new users and then write the logic to check if any such users require Exchange account in the report itself (since not every user who gets an AD Account will get exchange as per business requirement) and then based on that logic, trigger Exchange provisioning action.
We have implemented design option 1 successfully but looking for suggestions/inputs if design option 2 offers any benefits. And along the same lines, are actionable reports any better design to trigger termination action as oppose to using Rules (user update and technical rules).
Thanks,
Kunal
