Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Provisioning - Handling multiple values in TERMINATED_USER_ROLE_ACTION

Go to solution
adriencosson
Valued Contributor
Valued Contributor

‎09/07/2023 08:00 AM

Hi folks,

We have a requirement for an Offboarding process to perform the following steps :

  • When employee has left the company : Trigger a "Disable Account" Task in SAP application
  • After 14 days : Trigger "Remove Access" tasks to remove all roles assigned.
  • After 90 days : Trigger "Remove Account" tasks to perform a hard deletion of the account.

Following the SAP Documentation, we can insert in the TERMINATED_USER_ROLE_ACTION one of the following actions :

  • ENDDATE (Set enddate to roles when user gets terminated + Lock the account)
  • REMOVE (Remove the user's roles + Lock the account)
  • DELETEACCOUNT (Delete the user's account)

My requirement is to set dynamically the value based on the task type or event to trigger associated actions accordingly, but it always uses the "ENDDATE" by default when I try to set something like : 

${task.tasktype==2?(null!=task.entitlement_valuekey?'REMOVE':'DELETEACCOUNT'):'ENDDATE'}

 If I hardcode one of the 3 above values, there work independantly.

Thanks for your help !

Regards,
Adrien COSSON
0 Kudos
4 REPLIES 4

Go to solution
sai_sp
Saviynt Employee
Saviynt Employee

‎09/12/2023 08:37 AM

Hi @adriencosson 

 you cannot set a dynamic value there. You have to hardcode one of those 3 values . You can achieve your use case by setting up user update rules.

0 Kudos

Go to solution
adriencosson
Valued Contributor
Valued Contributor

‎09/13/2023 12:14 AM

Hello @sai_sp ,

I have configured User Update Rules to trigger the 3 below events : 

  • Disable User Account task when employee leaves the company
  • Deprovision Access with "Access Only" after 15 days of departure
  • Deprovision Access with "Accounts Only" after 30 days of departure

All tasks are well generated, but as I want the value to be "ENDDATE", then "REMOVE" and "DELETEACCOUNT" at the end, only first one is working as expected.

As you said this can be achieved using User Update Rules, can you please let me know what I am missing here to achieve the above requirement ? 

Regards,
Adrien COSSON
0 Kudos

Go to solution
Sampritha_r
Saviynt Employee
Saviynt Employee

‎09/18/2023 11:16 PM

Hello @adriencosson 

Keep TERMINATED_USER_ROLE_ACTION as Remove to meet the above requirement. 

 

  • Day 1 - Trigger Disable account task.
  • Day 14 - Use rules to trigger the Remove account task.
  • Day 90 -  Use analytics to trigger the Delete Account task

 

  1. Delete Account (Task Type =8) hard deletes SAP Account despite whatever value (Enddate/Remove/Delete) is present in Terminated_User_Role_Action. But you must trigger this task through analytics since user update rules trigger only Remove Account (task type 2) 
  2. Disable Account (Task type =14) will lock the status of SAP Account only, this also doesn't look into what is given in Terminated_User_Role_Action.
  3. Remove Account (Task type = 2) will look into the value present in  Terminated_User_Role_Action.
  • If set to ENDDATE - it will set the lock status and it will set the enddate of  saprole assignments of the user.
  • If set to REMOVE- it will set the lock status and it will set ‘Remove’ the user to saprole assignments. 

Go to solution
adriencosson
Valued Contributor
Valued Contributor

‎09/19/2023 12:07 AM

Hi @Sampritha_r,

Thank you so much for this. Your suggestion is working as per requirement !

Regards,
Adrien COSSON
0 Kudos
Copyright © 2024 Khoros, LLC