Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/16/2024 02:39 PM - edited 07/16/2024 04:10 PM
Hi we are seeing an issue where we have enterprise roles assigned to users and when the technical rule that assigned them no longer evaluates to true for the condition logic, no remove access tasks get generated. I have confirmed the user update rule
is triggering because I see all the other actions firing off appropriately and am seeing the Add Access tasks being generated for the newly assigned role.
You can see in this screenshot that the user update history shows the user update rule triggered and you can see where I created a test user update rule to just re-evaluate that target technical rule where it also triggers but no remove access tasks generated.
This screenshot shows the technical rule configuration
Any ideas on what I am overlooking here?
EDIT I believe the issue lies with the user not being associated with the technical rule as shown in this screenshot. I also ran the repair option shown in the screenshot and still no remove access tasks generated. The only way I am able to get them generated is by going to the enterprise role and manually removing the user there which is not what we want.
07/16/2024 04:43 PM
what is request option for entitlement underline enterprise role ?
validate under endpoint - entitlement type - request option ( it should be none create task / table ) and not NONE
07/16/2024 07:15 PM
I already have that set to "Table". The remove access tasks only seem to generate if I manually remove user from role or if I use de-provision role action in user update rule, neither of which is what we're wanting to happen.
07/16/2024 08:12 PM
07/17/2024 06:34 AM
Wont this remove all roles though? Only the ones that fail to evaluate to true from technical rules should be removed. We're not trying to remove all roles. This is a user transfer process so only those that dont evaluate to true for their job should be removed.
07/17/2024 08:02 AM
I configured a test user update rule with action as such
and remove access tasks are still not generating.
07/17/2024 03:25 PM
Check assignedfromrule column in arstaks table
07/16/2024 08:38 PM
Hi @jralexander137 , was the enterprise role assigned to user via the same technical rule?
07/17/2024 06:35 AM
Yes. The technical rule shows no users associated with it
07/17/2024 12:12 PM
Yes.
07/17/2024 06:42 AM
Hi @jralexander137 , if the roles wasn't via technical rule it won't be removed if condition fails..
07/17/2024 06:46 AM
It was assigned by the technical rule, looks like its not mapped at the DB level for some reason. All this role assignment and provisioning is done through technical rules, no one is manually assigning any roles.
08/02/2024 12:11 PM
This needs to be taken through freshservice ticket, The rule repair job is not assigning key at the db level . This is working for a new rule when tested. Please follow through that.
08/02/2024 01:01 PM
Thanks for that confirmation. I already have an open ticket with support and am waiting to hear back from engineering.