Saviynt Forums

Vidhya · ‎04/17/2024

Hi,

We have user update rule when departmentnumber gets updated we create update account task,rerun selected technical rules also remove birthright fail access. But only update account and add access tasks are created. Remove access doesnt trigger.

This was working perfectly fine in 23.5 version but recently we upgraded to 24.2 . Since then we encounter this problem.

Below screenshot is our user update rule:

Even in all technical rules we checked remove birthright fail access.

Can anyone please help?

Thanks,

Vidhya

Dhruv_S · ‎04/18/2024

Hi @Vidhya

Please confirm if the rule is detective or non-detective? We have seen a similar issue with detective, but it works fine if the rule is non-detective.

Regards,

Dhruv Sharma

Vidhya · ‎04/18/2024

Hi @Dhruv_S ,

All the technical rules are non-detective.

I tried in so many ways but remove access doesn't get triggered.

Thanks,

Vidhya

Vidhya · ‎04/18/2024

Hi @Dhruv_S ,

I have also raised a saviynt ticket.

Thanks,

Vidhya

rushikeshvartak · ‎04/18/2024

What if you keep re run all instead of selected rules

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Vidhya · ‎04/18/2024

Hi @rushikeshvartak ,

I have even tried that, re-running all provisioning rules. But it's the same. Remove access didn't trigger.

Thanks,

Vidhya

Dhruv_S · ‎04/18/2024

Please use the Remove if birthright fails in technical rule and re-run selected technical rule in user update rule.

Fail the birthright condition for a user and run the user update rule.

Check if both rules have run from the user history.

Regards,

Dhruv Sharma

Vidhya · ‎04/18/2024

Hi @Dhruv_S ,

Have done this already but it still fails to generate the remove access task.

Additionally, I've created two new technical rules for testing purpose and integrated them into the user update rule (re-running the selected technical rule).

When the departmentnumber is changed only add access triggers. I can see the technical rule it ran during update is for the new department only.

rushikeshvartak · ‎04/18/2024

Does Create Dependent Entitlement Task for Remove Access is ON on endpoint level

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Vidhya · ‎04/18/2024

Hi @rushikeshvartak ,

I did try this. But it failed to generate remove access.

Dhruv_S · ‎04/18/2024

Hi @Vidhya

Just tested in 24.2 and it is creating revoke task for me.

Please find the rule and task screenshots.

Technical rule

User update rule

Revoke task

Also please check if there is any workflow for remove access in Security system.

Regards,

Dhruv Sharma

Vidhya · ‎04/18/2024

Hi @Dhruv_S ,

I created a technical rule

user update rule

Remove access is not triggered when departmentnumber is updated

Yes remove access workflow is present.

Dhruv_S · ‎04/18/2024

If workflow is present, please check if there is any pending request for approval.

Also please make sure that along with the user update rule condition, birthright condition is also getting failed. The access should has been provided by birthright tech rule only.

Regards,

Dhruv Sharma

Vidhya · ‎04/18/2024

Hi @Dhruv_S

If workflow is present, please check if there is any pending request for approval. : There are no pending requests also this workflow is auto approval.

Also please make sure that along with the user update rule condition, birthright condition is also getting failed. The access should has been provided by birthright tech rule only.: This is in place

rushikeshvartak · ‎04/18/2024

Share logs

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Vidhya · ‎04/18/2024

Hi @rushikeshvartak ,

Please find the logs

Vidhya · ‎04/21/2024

Hi,

I created two simple technical rules(test rule1 ,Test_Rule ) and user update rule(test rule update ) where I rerun these technical rules when user's departmentnumber is updated. When I updated departmentnumber only add access got triggered. Remove Access was not triggered.

I saw below message in policies->execution trail. It says createTasksForRemoveBirthrightAccess but doesn't really create remove access tasks.

@%@%_@%{"hanaRuleId":"22","objvalue":"2","actionname":"createUpdateAccountTask","users":[521]}@%@%_@%{"hanaRuleId":"22","technicalRules":"33,44,55,45,56,34,46,35,36,37,38,39,29,40,51,41,30,42,31,32,43,54,10","birthright":false,"actionname":"rerunProvisionRule","users":[521]}@%@%_@%{"actionname":"createTasksForRemoveBirthrightAccess"}@%@%_@%{"hanaRuleId":"60","objvalue":"2","actionname":"createUpdateAccountTask","users":[521]}@%@%_@%{"hanaRuleId":"60","technicalRules":"58,59","birthright":false,"actionname":"rerunProvisionRule","users":[521]}

Also found below in logs:

rtExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Exit createTasksRemoveRoleBirthrightAccess"
"2024-04-22T03:13:20.883+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","Map with user access to remove = [521:[]]"
"2024-04-22T03:13:20.883+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Start Creating Tasks For Remove Birthright Access"
"2024-04-22T03:13:20.883+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","start createTasksForRemoveBirthrightAccess"
"2024-04-22T03:13:20.885+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","checksql = "
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," SELECT CONCAT(USERKEY,'_',ACCOUNTKEY,'_',ENDPOINT,'_',OWNERTYPE,'_',OWNERKEY,'_',SECURITYSYSTEM,'_',ENTITLEMENT_VALUEKEY) AS RESULT"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," FROM ARSTASKS WHERE STATUS in ("
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 1,2,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 6,7,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 5"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," ) AND TASKTYPE=2"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," AND ARSTASKS.USERKEY IN (521)"
"2024-04-22T03:13:20.885+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Retrieving Unique Existing Open Revoke Access Tasks: "
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," SELECT CONCAT(USERKEY,'_',ACCOUNTKEY,'_',ENDPOINT,'_',OWNERTYPE,'_',OWNERKEY,'_',SECURITYSYSTEM,'_',ENTITLEMENT_VALUEKEY) AS RESULT"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," FROM ARSTASKS WHERE STATUS in ("
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 1,2,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 6,7,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 5"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," ) AND TASKTYPE=2"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," AND ARSTASKS.USERKEY IN (521)"
"2024-04-22T03:13:20.886+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright is : 1"
"2024-04-22T03:13:20.886+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Tasks retrieved: 0"
"2024-04-22T03:13:20.886+00:00","ecm-worker","services.SaviyntCommonUtilityService","quartzScheduler_Worker-8-6rcqb","DEBUG","considerassignedfromrole = true"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = []"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","assignedFromRole=null , assignedFromRoles=null"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","isassignedfromrole = false"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = [] , entkey = 1605 , assignedFromRole = null , (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","In else of (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright for the userkey 521 , accountkey : 8119 and entkey 1605 is : 3"
"2024-04-22T03:13:20.889+00:00","ecm-worker","services.SaviyntCommonUtilityService","quartzScheduler_Worker-8-6rcqb","DEBUG","considerassignedfromrole = true"
"2024-04-22T03:13:20.891+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = []"
"2024-04-22T03:13:20.891+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","assignedFromRole=null , assignedFromRoles=null"
"2024-04-22T03:13:20.891+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","isassignedfromrole = false"
"2024-04-22T03:13:20.892+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = [] , entkey = 2227 , assignedFromRole = null , (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.892+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","In else of (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.892+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright for the userkey 521 , accountkey : 8119 and entkey 2227 is : 3"
"2024-04-22T03:13:20.895+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright loop is : 9"
"2024-04-22T03:13:20.895+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","End Processing for user list [[ACCOUNTKEY:8119, NAME:dname, ENDPOINTKEY:2, ENTITLEMENT_VALUEKEY:1605, SYSTEMID:2, USERKEY:521, ASSIGNEDFROMROLE:null, ASSIGNEDFROMRULE:null, ASSIGNEDFROMROLES:null], [ACCOUNTKEY:8119, NAME:dname, ENDPOINTKEY:2, ENTITLEMENT_VALUEKEY:2227, SYSTEMID:2, USERKEY:521, ASSIGNEDFROMROLE:null, ASSIGNEDFROMRULE:null, ASSIGNEDFROMROLES:null]]"
"2024-04-22T03:13:20.895+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","End Creating Tasks For Remove Birthright Access"
"2024-04-22T03:13:20.895+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","userkey to process = 521 completed"
"2024-04-22T03:13:20.895+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","Exit removeBirthRightAccess"
"2024-04-22T03:13:20.895+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","RULERUNJOB ==> Remove BirthRight Fail Access ACTION_ENDED "
"2024-04-22T03:13:20.896+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","RULERUNJOB ==> Create Update Account Task ACTION_STARTED "
"2024-04-22T03:13:20.896+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","Enter UserChangeActionService : createUpdateAccountTask"

I'm not sure why remove access tasks are not created. Can anyone please help

Dhruv_S · ‎04/22/2024

Please do the following and confirm if it works.

1. Fail the birthright condition for a user which is assigned access through birthright rule.

2. Go to Global configuration-Enable rule retrofit (repair rule to user mappings)- select the checkbox.

3. Then go to technical rule details - On the top right- click on 'Repair Rule to User Mappings'. Repair Rule to User Mappings runs retrofit rule job in the backend.

Post this see if the revoke task got created.

Vidhya · ‎04/23/2024

Hi @Dhruv_S ,

Thank you !

I did as you said above and remove access got triggered.

Could you please explain me on why we used Enable rule retrofit (repair rule to user mappings)?

Thanks,

Vidhya

Vidhya · ‎04/23/2024

Hi @Dhruv_S ,

Can I select all of my technical rules and click on click on 'Repair Rule to User Mappings

Does this take time?

Thanks,

Vidhya

Dhruv_S · ‎04/23/2024

While removing the access for birthright fail condition, it checks if the access is assigned through birthright rule in Database table.

If the mapping is absent in DB, revoke tasks doesn't get created. Retrofit job fixes this mapping. Hence the revoke tasks get created if the condition fails since mapping is present now. You can schedule the retrofit job to run at scheduled intervals so that this is taken care automatically every time rather than manually running it from the rule.

Regards,

Dhruv Sharma

Vidhya · ‎04/23/2024

Hi @Dhruv_S ,

But this was triggered once, I am testing it again it doesnt trigger this time I selected all technical rules and clicked on Repair Rule to User Mappings.

Thanks,

Vidhya

Dhruv_S · ‎04/23/2024

Have you tried on a different user or same user? There might be previous open tasks or some other issue -like condition mismatch or something else. Also, when you run the retrofit rule job, please wait for some time and check again.

Vidhya · ‎04/23/2024

I tried with different user. Sure

Thanks,

Vidhya

Dhruv_S · ‎04/24/2024

Hi @Vidhya

Please let us know if the issue is resolved.

Regards,

Dhruv Sharma

Saviynt Forums

Remove Access is not triggered for remove birthright fail access