Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/10/2024 07:20 PM
Provisioning Job (WSRETRYJOB) (with or without the endpoint specified) doesn't pick up any of the remove access (Active Directory) pending tasks for terminated users.
With the same configuration and job, we were able to remove access for another user just before this issue, nothing changed since then
We restarted Saviynt, created a new job, and imported AD accounts back in to sync with AD but none worked, the logs have no error
Automated provisioning is enabled is AD security system and there is no provisioning threshold set for this type of task
The logs:
Some other lines that show the job is not picking up the tasks
"2024-09-11T01:43:03.121+00:00","ecm-worker","jobs.WSRetryJob","quartzScheduler_Worker-4-wfg22","DEBUG","Found 0 pending tasks.. Ending the job.."
"2024-09-11T01:43:03.121+00:00","ecm-worker","jobs.WSRetryJob","quartzScheduler_Worker-4-wfg22","DEBUG","WSRETRYJOB End @ Wed Sep 11 01:43:03 UTC 2024"
The Job:
09/10/2024 07:37 PM
@nila_masrouri
Is the User AD account in inactive or suspended from the import state?
09/10/2024 08:11 PM
@stalluri Thank you for your response!
It's Inactive, which was the trigger initially for the user update rules.
09/10/2024 07:43 PM
#Check if the AD account is active or no
## Try mentioning the task key in the advanced Query section and check the logs closely.
09/10/2024 08:13 PM
@mahafujkhan1 Thank you for your response!
The AD account is Inactive.
I did mention the task key as well. Tried both with and without the task key and neither worked. No error instance in the logs either.
09/10/2024 09:07 PM
09/11/2024 07:14 AM
Task 3616 is a remove access task, not remove account. As you can see in the user update rule, the only action configured for a delay is the remove account action. Looks like that is being applied to other tasks generated from other actions incorrectly.
09/11/2024 09:58 AM
09/11/2024 10:24 AM
Yeah just reply and say that the task should not have gotten the 24 hour delay based on the user update rule config, it should be able to be processed immediately. This is the termination user update rule that gets triggered when importing a terminated user: there is no delay for deprovisioning access for AD accounts
09/11/2024 10:45 AM
It seems rule is updated now what is startdate
09/11/2024 07:46 PM
@nila_masrouri
Even if the role is updated, it will be used for new tasks created going forward.
The data stays the same for existing tasks, and the task will be picked after 24 hours based on your previous config.
09/10/2024 08:34 PM
Hi @nila_masrouri you have to specify the security system so that job can interpret which connection to utilize.
09/10/2024 08:50 PM
@nila_masrouri
What is the task status? Is it in a new state?
09/11/2024 09:45 AM
@nila_masrouri
Can you share the Screenshot shot of all the tasks created for the user on the active directory account?
or
Share the output of the below query
SELECT
PARENTTASK,
TASKKEY,
TASKDATE,
CASE
WHEN TASKTYPE = 1 THEN 'Add'
WHEN TASKTYPE = 2 THEN 'Delete'
WHEN TASKTYPE = 3 THEN 'New Account'
WHEN TASKTYPE = 6 THEN 'Enable Account'
WHEN TASKTYPE = 8 THEN 'Delete Account'
WHEN TASKTYPE = 12 THEN 'Update Account'
WHEN TASKTYPE = 14 THEN 'Disable Account'
ELSE 'Unknown Task Type'
END AS TASKTYPE_DESC,
ASSIGNEDFROMROLE,
ASSIGNEDFROMROLES,
ASSIGNEDFROMRULE,
ACCOUNTNAME,
endpoint,
STARTDATE,
ENDDATE,
CASE
WHEN STATUS = 1 THEN 'New'
WHEN STATUS = 2 THEN 'In Progress'
WHEN STATUS = 3 THEN 'Complete'
WHEN STATUS = 4 THEN 'Discontinued'
WHEN STATUS = 5 THEN 'Pending Create'
WHEN STATUS = 6 THEN 'Pending Provision'
WHEN STATUS = 7 THEN 'Provisioning Failed'
WHEN STATUS = 8 THEN 'Error'
WHEN STATUS = 9 THEN 'No Action Required'
ELSE 'Unknown Status'
END AS STATUS_DESC
FROM ARSTASKS
WHERE ENDPOINT = <endpoint key of Active Directory>
AND Accountkey= <Account key of the account>