Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Provisioning Job(WSRETRY JOB) doesn't pick the remove account tasks (Active Directory)

nila_masrouri
New Contributor
New Contributor

Provisioning Job (WSRETRYJOB) (with or without the endpoint specified) doesn't pick up any of the remove access (Active Directory) pending tasks for terminated users.

With the same configuration and job, we were able to remove access for another user just before this issue, nothing changed since then

We restarted Saviynt, created a new job, and imported AD accounts back in to sync with AD but none worked, the logs have no error

Automated provisioning is enabled is AD security system and there is no provisioning threshold set for this type of task

The logs:

nila_masrouri_0-1726021131654.png

Some other lines that show the job is not picking up the tasks

 "2024-09-11T01:43:03.121+00:00","ecm-worker","jobs.WSRetryJob","quartzScheduler_Worker-4-wfg22","DEBUG","Found 0 pending tasks.. Ending the job.."

"2024-09-11T01:43:03.121+00:00","ecm-worker","jobs.WSRetryJob","quartzScheduler_Worker-4-wfg22","DEBUG","WSRETRYJOB End @ Wed Sep 11 01:43:03 UTC 2024"

The Job:

nila_masrouri_1-1726021131657.png

 

 

nila_masrouri_2-1726021131658.png

 

13 REPLIES 13

stalluri
Valued Contributor II
Valued Contributor II

@nila_masrouri 

Is the User AD account in inactive or suspended from the import state?


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

@stalluri Thank you for your response!

It's Inactive, which was the trigger initially for the user update rules.

mahafujkhan1
Regular Contributor
Regular Contributor

#Check if the AD account is active or no

## Try mentioning the task key in the advanced Query section and check the logs closely.

 

@mahafujkhan1 Thank you for your response!

The AD account is Inactive.

I did mention the task key as well. Tried both with and without the task key and neither worked. No error instance in the logs either.

  • Can you run below query from data analayzer and share screenshot
  • select taskkey,status,taskdate,startdate from arstasks where taskkey=xxx

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Task 3616 is a remove access task, not remove account. As you can see in the user update rule, the only action configured for a delay is the remove account action. Looks like that is being applied to other tasks generated from other actions incorrectly.
nila_masrouri_0-1726063975642.png


nila_masrouri_2-1726064058384.png

 

 

 

 

  • select taskkey,status,taskdate,startdate,tasktype,source from arstasks where taskkey=3616
  • Your task will process tonight after 20.53 (not sure about your timezone)

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Yeah just reply and say that the task should not have gotten the 24 hour delay based on the user update rule config, it should be able to be processed immediately. This is the termination user update rule that gets triggered when importing a terminated user: there is no delay for deprovisioning access for AD accounts

nila_masrouri_0-1726075432710.png

 

It seems rule is updated now what is startdate 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

stalluri
Valued Contributor II
Valued Contributor II

@nila_masrouri 
Even if the role is updated, it will be used for new tasks created going forward.
The data stays the same for existing tasks, and the task will be picked after 24 hours based on your previous config.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM
Honored Contributor II
Honored Contributor II

Hi @nila_masrouri you have to specify the security system so that job can interpret which connection to utilize.

stalluri
Valued Contributor II
Valued Contributor II

@nila_masrouri 

What is the task status? Is it in a new state?


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

stalluri
Valued Contributor II
Valued Contributor II

@nila_masrouri 

Can you share the Screenshot shot of all the tasks created for the user on the active directory account?
or
Share the output of the below query

SELECT 
    PARENTTASK,
    TASKKEY,
    TASKDATE,
    CASE 
        WHEN TASKTYPE = 1 THEN 'Add'
        WHEN TASKTYPE = 2 THEN 'Delete'
        WHEN TASKTYPE = 3 THEN 'New Account'
        WHEN TASKTYPE = 6 THEN 'Enable Account'
        WHEN TASKTYPE = 8 THEN 'Delete Account'
        WHEN TASKTYPE = 12 THEN 'Update Account'
        WHEN TASKTYPE = 14 THEN 'Disable Account'
        ELSE 'Unknown Task Type'
    END AS TASKTYPE_DESC,
    ASSIGNEDFROMROLE, 
    ASSIGNEDFROMROLES, 
    ASSIGNEDFROMRULE, 
    ACCOUNTNAME, 
endpoint,
    STARTDATE, 
    ENDDATE, 
    CASE 
        WHEN STATUS = 1 THEN 'New'
        WHEN STATUS = 2 THEN 'In Progress'
        WHEN STATUS = 3 THEN 'Complete'
        WHEN STATUS = 4 THEN 'Discontinued'
        WHEN STATUS = 5 THEN 'Pending Create'
        WHEN STATUS = 6 THEN 'Pending Provision'
        WHEN STATUS = 7 THEN 'Provisioning Failed'
        WHEN STATUS = 8 THEN 'Error'
        WHEN STATUS = 9 THEN 'No Action Required'
        ELSE 'Unknown Status'
    END AS STATUS_DESC
FROM ARSTASKS
WHERE ENDPOINT = <endpoint key of Active Directory>
AND Accountkey= <Account key of the account>


 


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.