Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Saviynt unable to process technical rules

vvnibm2002
New Contributor
New Contributor

‎09/16/2024 04:47 PM - edited ‎09/16/2024 05:26 PM

I have a technical rule as follows:

a.employeeType in ('EMP') and a.systemUserName is not null and a.statuskey = 1 and (a.customproperty26 in ('300000015225007', '300000015224271', '300000015210622', '300000014030712', '300000014030375', '300000015210603', '300000015209112', '300000015223675', '300000306493750') or a.customproperty27 in ('Facilities', 'MOW Capital Projects', 'Engineering Operations', 'Design Construction & Capacity', 'Engineering Ldshp', 'Maintenance of Way - North', 'Maintenance of Way - South', 'Communication & Signals', 'Comms, Signals & PTC Systems', '550 Water Street Corporate Facilities', 'COLOCATION FACILITY SERVICES')) and a.customproperty2 not in ('Retiree','Severance') and a.customproperty14 not in ('XXXXX_DISMISS_PAY')

If the conditions of the technical rule are satisfied, the user will be added to the group CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=xxx,DC=com

The below checkboxes are enabled for the rule:

vvnibm2002_0-1726530261729.png

 

This technical rule is triggered from a user update rule configured as follows (trigger action is when user is updated from UI):

vvnibm2002_1-1726530295856.png

An active user has got the group provisioned because the CP26 criteria was met and all other conditions satisfied successfully. When I change CP26 from 300000306493750 to 300000014585294, the user update rule is triggered but the technical rule is not processed to remove the user from the group.

This is what I see in the user update history:

vvnibm2002_0-1726530536401.png

 

Can someone point if there is an issue in the configuration or if this is a product issue? Why would the technical rule not get processed to deprovision the user from the group? I have already opened a support ticket for this inquiry.

In the logs, I see an entry such as the below:

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-ent data not found for key 7123@#_#@1@#_#@CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com@#_#@

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-query = Select ev from Entitlement_values ev where ev.entitlementtypekey.id = 1 and ev.entitlement_value = 'CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com'

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [56117]

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [62496]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet after = [62496]

What does this mean? What do those keys refer to?

Labels:
0 Kudos
14 REPLIES 14

rushikeshvartak
All-Star
All-Star

‎09/16/2024 05:19 PM

Did you ran detective rules job


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

vvnibm2002
New Contributor
New Contributor
In response to rushikeshvartak

‎09/16/2024 05:23 PM

We do not intend to run detective rules jobs as part of the implementation because that tends to bring down the application and impacts all other processes within Saviynt. As per Saviynt documentation, if a tech rule is configured as birthright and revoke birth access if condition fails is enabled, isn't the tech rule supposed to revoke the entitlement when the condition is not satisfied? We have seen this behaviour (removal of entitlements) in other technical rules but this technical rule is processed only when all the conditions are satisfied.

0 Kudos

vvnibm2002
New Contributor
New Contributor

‎09/16/2024 05:25 PM

In the logs, I see an entry such as the below:

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-ent data not found for key 7123@#_#@1@#_#@CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com@#_#@

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-query = Select ev from Entitlement_values ev where ev.entitlementtypekey.id = 1 and ev.entitlement_value = 'CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com'

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [56117]

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [62496]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet after = [62496]

What does this mean? What do those keys refer to?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to vvnibm2002

‎09/16/2024 06:28 PM - edited ‎09/16/2024 07:56 PM

Does assignedfromrule is populated under account_entitlements1 table?

SELECT accentkey,
       savaccess,
       accountkey,
       arstaskkey,
       assignedfromcomprole,
       assignedfromrole,
       assignedfromroles,
       assignedfromrule,
       assignedfromchild,
       enddate,
       entitlement_valuekey
FROM   account_entitlements1
WHERE  accountkey = 111; 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

stalluri
Valued Contributor
Valued Contributor
In response to vvnibm2002

‎09/16/2024 07:01 PM

@vvnibm2002 
Check this query to see if the ASSIGNEDFROMRULE is populated for the account.

select ACCENTKEY
SAVACCESS
ACCOUNTKEY
ARSTASKKEY
ASSIGNEDFROMCOMPROLE
ASSIGNEDFROMROLE
ASSIGNEDFROMROLES
ASSIGNEDFROMRULE
ASSIGNEDFROMCHILD
ENDDATE
ENTITLEMENT_VALUEKEY 
from account_entitlements1 
where assignedfromrule = <place the technical rule key >
and accountkey= <account key>

Screenshot 2024-09-16 at 8.54.15 PM.png


To get the association in to this table or populate the missing association.
Link: Repairing-Rule-User-Mappings 


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

vvnibm2002
New Contributor
New Contributor
In response to stalluri

‎09/17/2024 07:48 AM

Hi @stalluri - the column ASSIGNEDFROMRULE is blank in the ae1 table. We have not enabled ARS yet for AD groups so there is no way that the entitlements are assigned to users outside of the policies. This is looking to be more like a product gap.

0 Kudos

stalluri
Valued Contributor
Valued Contributor
In response to vvnibm2002

‎09/17/2024 08:25 AM - edited ‎09/17/2024 08:27 AM

@vvnibm2002 
There are some issues regarding this and some gaps.
Try running the retrofit job. The value will be populated for the accounts. It will only populate the values for the entitlements that are part of the rules. 
It will not populate the values if they are assigned as part of Import for entitlements that are not part of any rule/role.

If the association is not populated after the retrofit job, Create a ticket with Saviynt support.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to vvnibm2002

‎09/17/2024 08:43 AM

It  may be possible that your import job is failed and mapping is removed. Please run Repairing-Rule-User-Mappings  mapping job to fix mapping


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

vvnibm2002
New Contributor
New Contributor
In response to rushikeshvartak

‎09/17/2024 09:47 AM

This does nothing when I trigger it from the technical rules. I just get this prompt.

vvnibm2002_0-1726591637544.png

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to vvnibm2002

‎09/17/2024 10:01 AM

Share job configuration and logs in text format


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

vvnibm2002
New Contributor
New Contributor
In response to rushikeshvartak

‎09/17/2024 01:20 PM

Hi @rushikeshvartak - What I am noticing is that when the subsequent HCM user import job runs to being the user details the second time onwards, it is clearing the assignedfromrules column and the tech rule corresponding to that entitlement_valuekey is not getting processed. When I run the retrofit job to repair the user to rules mapping, that entitlement_valuekey record in ae1 table is still not getting the assignedfromrules value. Is this a product bug then?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to vvnibm2002

‎09/17/2024 01:24 PM

Its product bug please raise support ticket ,


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

vvnibm2002
New Contributor
New Contributor

‎09/17/2024 11:42 AM

When I configured a job to retrofit all rules in the job control panel and executed it, I could see that the account_entitlements1 table got updated with rule key in the assignedfromrules column. But when the same is done from the technical rules UI, nothing happens. I am now testing to see if that will fix the issue with the triggering of technical rules.

0 Kudos

stalluri
Valued Contributor
Valued Contributor
In response to vvnibm2002

‎09/17/2024 06:46 PM

@vvnibm2002 

Yes, you can do the same for all rules.
If you still having issue with populating the values in account_entitlements1, Create a support ticket.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC