We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Role user association removal is not happening after entitlements remove access tasks are completed

piyushm
Regular Contributor II
Regular Contributor II
We have an Application role with 4 entitlements. when termination happens through Import we are calling 'deprovisioning Role', 'deprovision access' through user update rule. The entitlements mapped to role are removed for the user. But even after the remove access tasks for the mapped entitlements are completed, the Role is still not removed from the user. We can still see the role assigned in the user profile page.
 
From the logs I can see it is trying to delete the role user account association but no error or successful message after this statement
 
[quartzScheduler_Worker-4] DEBUG services.ArsTaskService - Deleting Role_user_account association for user - Userkey and role(s) - [Role_name] using qry-select rua from Role_user_account rua where rua.userkey.id=xxxx and rua.rolekey.id in (xxx) \n"
 
[quartzScheduler_Worker-4] DEBUG services.ArsTaskService - Exit createRemoveRoleTasks new\n
 
Checking for Automated provisioning for Remove Enterprise/FF Role Request tasks null \n",
 
[quartzScheduler_Worker-4] DEBUG changeaction.UserChangeActionService - Task created for Role-Rolekey- Role_name\n"
 
 [quartzScheduler_Worker-4] DEBUG changeaction.UserChangeActionService - Exit deprovisionRole
 
 
2 REPLIES 2

ParitaSavla
Saviynt Employee
Saviynt Employee

Can you check if the user has any entries in account_entitlements1 table with assignedfromroles populated with the rolekey of the Role that you are trying to deprovision?

piyushm
Regular Contributor II
Regular Contributor II

The issue was with the order of the Action tasks. In my case the order that worked is  Update account -> Deprovision Role -> Deprovision Access ->Disable user Account.

Update account action has to be first and the disable user account the last . Earlier the Disable account action was before deprovision role action.