Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Remove Access is not triggered for remove birthright fail access

Vidhya
New Contributor III
New Contributor III

Hi,

We have user update rule when departmentnumber gets updated we create update account task,rerun selected technical rules also remove birthright fail access. But only update account and add access tasks are created. Remove access doesnt trigger.

This was working perfectly fine in 23.5 version but recently we upgraded to 24.2 . Since then we encounter this problem.

Below screenshot is our user update rule:

Vidhya_0-1713409918548.pngVidhya_1-1713409941339.png

Even in all technical rules we checked remove birthright fail access. 

Can anyone please help?

Thanks,

Vidhya

24 REPLIES 24

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @Vidhya 

Please confirm if the rule is detective or non-detective? We have seen a similar issue with detective, but it works fine if the rule is non-detective.

Regards,

Dhruv Sharma

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S ,

All the technical rules are non-detective.

I tried in so many ways but remove access doesn't get triggered.

Thanks,

Vidhya

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S ,

I have also raised a saviynt ticket.

Thanks,

Vidhya

What if you keep re run all instead of selected rules


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @rushikeshvartak ,

I have even tried that, re-running all provisioning rules. But it's the same. Remove access didn't trigger.

 

Thanks,

Vidhya

Dhruv_S
Saviynt Employee
Saviynt Employee

Please use the Remove if birthright fails in technical rule and re-run selected technical rule in user update rule.

Fail the birthright condition for a user and run the user update rule.

Check if both rules have run from the user history.

Regards,

Dhruv Sharma

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S ,

Have done this already but it still fails to generate the remove access task.

Additionally, I've created two new technical rules for testing purpose and integrated them into the user update rule (re-running the selected technical rule).

When the departmentnumber is changed only add access triggers. I can see the technical rule it ran during update is for the new department only.

Vidhya_0-1713500347292.png

 

 

 

Does Create Dependent Entitlement Task for Remove Access is ON on endpoint level


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @rushikeshvartak ,

I did try this. But it failed to generate remove access.

 

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @Vidhya 

Just tested in 24.2 and it is creating revoke task for me. 

Please find the rule and task screenshots.

Technical rule

IMG1.PNG

User update rule

Img2.PNG

Revoke task

IMG3.PNG

Also please check if there is any workflow for remove access in Security system.

Regards,

Dhruv Sharma

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S ,

I created a technical rule

Vidhya_0-1713502951864.png

user update rule

Vidhya_1-1713503006015.png

Remove access is not triggered when departmentnumber is updated

Vidhya_2-1713503059797.png

Yes remove access workflow is present.

Dhruv_S
Saviynt Employee
Saviynt Employee

If workflow is present, please check if there is any pending request for approval.

Also please make sure that along with the user update rule condition, birthright condition is also getting failed. The access should has been provided by birthright tech rule only. 

Regards,

Dhruv Sharma

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S 

If workflow is present, please check if there is any pending request for approval. : There are no pending requests also this workflow is auto approval.

Also please make sure that along with the user update rule condition, birthright condition is also getting failed. The access should has been provided by birthright tech rule only.: This is in place

 

 

Share logs


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @rushikeshvartak ,

 

Please find the logs

Vidhya
New Contributor III
New Contributor III

Hi,

I created two simple technical rules(test rule1 ,Test_Rule ) and user update rule(test rule update ) where I rerun these technical rules when user's departmentnumber is updated. When I updated departmentnumber only add access got triggered. Remove Access was not triggered. 
 
I saw below message in policies->execution trail. It says createTasksForRemoveBirthrightAccess  but doesn't really create remove access tasks.
 
 
@%@%_@%{"hanaRuleId":"22","objvalue":"2","actionname":"createUpdateAccountTask","users":[521]}@%@%_@%{"hanaRuleId":"22","technicalRules":"33,44,55,45,56,34,46,35,36,37,38,39,29,40,51,41,30,42,31,32,43,54,10","birthright":false,"actionname":"rerunProvisionRule","users":[521]}@%@%_@%{"actionname":"createTasksForRemoveBirthrightAccess"}@%@%_@%{"hanaRuleId":"60","objvalue":"2","actionname":"createUpdateAccountTask","users":[521]}@%@%_@%{"hanaRuleId":"60","technicalRules":"58,59","birthright":false,"actionname":"rerunProvisionRule","users":[521]}
 
Also found below in logs:

rtExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Exit createTasksRemoveRoleBirthrightAccess"
"2024-04-22T03:13:20.883+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","Map with user access to remove = [521:[]]"
"2024-04-22T03:13:20.883+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Start Creating Tasks For Remove Birthright Access"
"2024-04-22T03:13:20.883+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","start createTasksForRemoveBirthrightAccess"
"2024-04-22T03:13:20.885+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","checksql = "
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," SELECT CONCAT(USERKEY,'_',ACCOUNTKEY,'_',ENDPOINT,'_',OWNERTYPE,'_',OWNERKEY,'_',SECURITYSYSTEM,'_',ENTITLEMENT_VALUEKEY) AS RESULT"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," FROM ARSTASKS WHERE STATUS in ("
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 1,2,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 6,7,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 5"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," ) AND TASKTYPE=2"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," AND ARSTASKS.USERKEY IN (521)"
"2024-04-22T03:13:20.885+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Retrieving Unique Existing Open Revoke Access Tasks: "
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," SELECT CONCAT(USERKEY,'_',ACCOUNTKEY,'_',ENDPOINT,'_',OWNERTYPE,'_',OWNERKEY,'_',SECURITYSYSTEM,'_',ENTITLEMENT_VALUEKEY) AS RESULT"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," FROM ARSTASKS WHERE STATUS in ("
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 1,2,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 6,7,"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," 5"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," ) AND TASKTYPE=2"
"2024-04-22T03:13:21.638+00:00","ecm-worker","","null-6rcqb",""," AND ARSTASKS.USERKEY IN (521)"
"2024-04-22T03:13:20.886+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright is : 1"
"2024-04-22T03:13:20.886+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Tasks retrieved: 0"
"2024-04-22T03:13:20.886+00:00","ecm-worker","services.SaviyntCommonUtilityService","quartzScheduler_Worker-8-6rcqb","DEBUG","considerassignedfromrole = true"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = []"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","assignedFromRole=null , assignedFromRoles=null"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","isassignedfromrole = false"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = [] , entkey = 1605 , assignedFromRole = null , (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","In else of (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.889+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright for the userkey 521 , accountkey : 8119 and entkey 1605 is : 3"
"2024-04-22T03:13:20.889+00:00","ecm-worker","services.SaviyntCommonUtilityService","quartzScheduler_Worker-8-6rcqb","DEBUG","considerassignedfromrole = true"
"2024-04-22T03:13:20.891+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = []"
"2024-04-22T03:13:20.891+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","assignedFromRole=null , assignedFromRoles=null"
"2024-04-22T03:13:20.891+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","isassignedfromrole = false"
"2024-04-22T03:13:20.892+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","accessSet = [] , entkey = 2227 , assignedFromRole = null , (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.892+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","In else of (accessSet != null && accessSet.size() > 0 && accessSet.contains(entkey) && !isassignedfromrole) = false"
"2024-04-22T03:13:20.892+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright for the userkey 521 , accountkey : 8119 and entkey 2227 is : 3"
"2024-04-22T03:13:20.895+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","Total execution time for detective job to remove birthright loop is : 9"
"2024-04-22T03:13:20.895+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","End Processing for user list [[ACCOUNTKEY:8119, NAME:dname, ENDPOINTKEY:2, ENTITLEMENT_VALUEKEY:1605, SYSTEMID:2, USERKEY:521, ASSIGNEDFROMROLE:null, ASSIGNEDFROMRULE:null, ASSIGNEDFROMROLES:null], [ACCOUNTKEY:8119, NAME:dname, ENDPOINTKEY:2, ENTITLEMENT_VALUEKEY:2227, SYSTEMID:2, USERKEY:521, ASSIGNEDFROMROLE:null, ASSIGNEDFROMRULE:null, ASSIGNEDFROMROLES:null]]"
"2024-04-22T03:13:20.895+00:00","ecm-worker","saviynt.ImportExternalDbService","quartzScheduler_Worker-8-6rcqb","DEBUG","End Creating Tasks For Remove Birthright Access"
"2024-04-22T03:13:20.895+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","userkey to process = 521 completed"
"2024-04-22T03:13:20.895+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","Exit removeBirthRightAccess"
"2024-04-22T03:13:20.895+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","RULERUNJOB ==> Remove BirthRight Fail Access ACTION_ENDED "
"2024-04-22T03:13:20.896+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","RULERUNJOB ==> Create Update Account Task ACTION_STARTED "
"2024-04-22T03:13:20.896+00:00","ecm-worker","changeaction.UserChangeActionService","quartzScheduler_Worker-8-6rcqb","DEBUG","Enter UserChangeActionService : createUpdateAccountTask"

I'm not sure why remove access tasks are not created. Can anyone please help

Dhruv_S
Saviynt Employee
Saviynt Employee

Please do the following and confirm if it works.

1. Fail the birthright condition for a user which is assigned access through birthright rule.

2. Go to Global configuration-Enable rule retrofit (repair rule to user mappings)- select the checkbox.

3. Then go to technical rule details - On the top right- click on 'Repair Rule to User Mappings'. Repair Rule to User Mappings runs retrofit rule job in the backend

Post this see if the revoke task got created.

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S ,

 

Thank you !

I did as you said above and remove access got triggered.

Vidhya_0-1713855554989.png

Could you please explain me on why we used Enable rule retrofit (repair rule to user mappings)?

Thanks,

Vidhya

 

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S ,

 

Can I select all of my technical rules and click on click on 'Repair Rule to User Mappings

Does this take time?

 

Thanks,

Vidhya

Dhruv_S
Saviynt Employee
Saviynt Employee

While removing the access for birthright fail condition, it checks if the access is assigned through birthright rule in Database table. 

If the mapping is absent in DB, revoke tasks doesn't get created. Retrofit job fixes this mapping. Hence the revoke tasks get created if the condition fails since mapping is present now.  You can schedule the retrofit job to run at scheduled intervals so that this is taken care automatically every time rather than manually running it from the rule. 

Regards,

Dhruv Sharma

Vidhya
New Contributor III
New Contributor III

Hi @Dhruv_S ,

But this was triggered once, I am testing it again it doesnt trigger this time I selected all technical rules and clicked on Repair Rule to User Mappings. 

Thanks,

Vidhya

Dhruv_S
Saviynt Employee
Saviynt Employee

Have you tried on a different user or same user? There might be previous open tasks or some other issue -like condition mismatch or something else. Also, when you run the retrofit rule job, please wait for some time and check again. 

Vidhya
New Contributor III
New Contributor III

I tried with different user. Sure

 

Thanks,

Vidhya

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @Vidhya 

Please let us know if the issue is resolved.

Regards,

Dhruv Sharma