Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

'Remove Birthright Access if condition fails' flag in the technical rule is not working

SUMAIYA_BABU
Regular Contributor
Regular Contributor

We have a birthright rule to assign an account and a set of entitlements  when a user is in BU -01. When the user is updated and moves to, say BU 02, the existing access should be removed and new set of access should be added. I have two technical rules to achieve this:

when user's Bu='01' - create account and add access 1

when user's BU=02 - create account and add access2

I have checked the 'Remove Birthright Access if condition fails' flag in the technical rule. Also have an update rule to trigger these technical rules when BU is updated.

When a user's BU is updated, remove access task should be created for access1 and add access for the access2. In this case, Add access for access2 is created, but the remove access task  for access1 is not created. Is there any configuration to be turned on for this? or are we missing anything here?

Version -23.4

16 REPLIES 16

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @SUMAIYA_BABU,

Can you please first create task for remove acces and in that call for new rule to add access

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".

SUMAIYA_BABU
Regular Contributor
Regular Contributor

Hi @sudeshjaiswal ,

If I invoke 'deprovision access' from update rules, it works. But I want to trigger from the birthright rules because I have many technical rule which should fail in case of movers.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @SUMAIYA_BABU,

The option to remove BirthRight, if condition fails should work when the access is assigned as birthright from the same rule.

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".

saikanumuri
Saviynt Employee
Saviynt Employee

Hi @SUMAIYA_BABU 

As @sudeshjaiswal already suggested, Checking the 'Remove Birthright if the condition fails' option under the Technical rule should work.

Please make sure you have a user update rule in place with the action as 'Rerun technical Rules' / 'Rerun selected technical rules' which in turn should evaluate the technical rules for the users that are no longer meeting the condition.

Please let us know in case you still face any issues and we can assist you further.

adityachadde
New Contributor III
New Contributor III

Hi @sudeshjaiswal,

We have a user update rule by the help of which we are running the technical rule and that technical rule is failing but still the remove access tasks are not getting created.

What could be the issue?

Best Regards,

Aditya Chadde

Saviynt_learner
Regular Contributor II
Regular Contributor II

Hi @adityachadde , @SUMAIYA_BABU ,

Have you assigned any entitlemnt to that account / user through same technical rule?

 

Few things to note here regarding technical rule:

1. Account wont be remove even if the condition fails.

2. Only Remove access tasks will be generated if condition fails.

3. Also  only access/entitlement that are granted through same birthright will be revoked.

 

So please make sure that user have both account, access  for that particular Endpoint and That too through a same technical rule.

 

If above said things are in place, it will should work.

Please let me know if this answers your question. 

Hi,

Please find the below:

1. Account won't be remove even if the condition fails.

We are looking for the remove access tasks.

2. Only Remove access tasks will be generated if condition fails.

There are No remove access tasks generated if the condition fails.

3. Also  only access/entitlement that are granted through same birthright will be revoked.

Access is granted via the birthright rule and that rule is failing but no remove access tasks are created.

 

Best Regards,

Aditya Chadde

Saviynt_learner
Regular Contributor II
Regular Contributor II

Could you please Be more precise with your response.  I quite didn't undestand when you mentioned :

There are remove access tasks generated if the condition fails.(under 2nd point)

Access is granted via the birthright rule and that rule is failing but no remove access tasks are created.(under 3rd point)

Hi,

Updated the post. There are no remove access tasks are getting created.

Mentioned in the 3rd point.

Best Regards,

Aditya Chadde

@adityachadde could you please provide the screenshot, it will help us to understand the issue better. i think it should work, if not then something  might be wrong with rule.

Hi,

PFA for screenshot

user update rule

 

adityachadde_0-1695309177366.png

Technical rule

adityachadde_1-1695309200862.png

Tasks completed

adityachadde_2-1695309271969.png

Access assigned

adityachadde_3-1695309310634.png

updated the user technical rule failed.

adityachadde_4-1695309341962.png

birthright fails option enabled

adityachadde_5-1695309433966.png

But no remove access tasks are created.

Best Regards,

Aditya Chadde

saikanumuri
Saviynt Employee
Saviynt Employee

Hi @SUMAIYA_BABU @adityachadde 

Thank you for sharing the details.

I don't see any issue with the config. However, we would need logs to investigate further and check for data issues.

I noticed you have already raised a support ticket and I would suggest sharing the latest logs over there so that our team can review them and assist you further on the ticket with the next steps.

adityachadde
New Contributor III
New Contributor III

Hi @saikanumuri,

We have shared the logs on the Saviynt ticket while raising the ticket.

Best Regards,

Aditya Chadde

BrandonLucas_BF
Regular Contributor III
Regular Contributor III

Any update on this case? We are seeing some strange behavior in our environment with birthright rules that previously ran many months without fail. Now, we see cases of not triggering remove access correctly. We are on version 23.9.

Hi @BrandonLucas_BF,

There was one rule which was incorrect because of which this feature was not working we updated the rule and verified all the rules and corrected it.

Now it is working as Expected.

Best Regards,

Aditya Chadde

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Thanks @adityachadde  for the confirmation.

Regards,
Sudesh

If you find the above response useful, Kindly Mark it as "Accept As Solution".