Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/16/2024 04:47 PM - edited 09/16/2024 05:26 PM
I have a technical rule as follows:
a.employeeType in ('EMP') and a.systemUserName is not null and a.statuskey = 1 and (a.customproperty26 in ('300000015225007', '300000015224271', '300000015210622', '300000014030712', '300000014030375', '300000015210603', '300000015209112', '300000015223675', '300000306493750') or a.customproperty27 in ('Facilities', 'MOW Capital Projects', 'Engineering Operations', 'Design Construction & Capacity', 'Engineering Ldshp', 'Maintenance of Way - North', 'Maintenance of Way - South', 'Communication & Signals', 'Comms, Signals & PTC Systems', '550 Water Street Corporate Facilities', 'COLOCATION FACILITY SERVICES')) and a.customproperty2 not in ('Retiree','Severance') and a.customproperty14 not in ('XXXXX_DISMISS_PAY')
If the conditions of the technical rule are satisfied, the user will be added to the group CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=xxx,DC=com
The below checkboxes are enabled for the rule:
This technical rule is triggered from a user update rule configured as follows (trigger action is when user is updated from UI):
An active user has got the group provisioned because the CP26 criteria was met and all other conditions satisfied successfully. When I change CP26 from 300000306493750 to 300000014585294, the user update rule is triggered but the technical rule is not processed to remove the user from the group.
This is what I see in the user update history:
Can someone point if there is an issue in the configuration or if this is a product issue? Why would the technical rule not get processed to deprovision the user from the group? I have already opened a support ticket for this inquiry.
In the logs, I see an entry such as the below:
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-ent data not found for key 7123@#_#@1@#_#@CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com@#_#@
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-query = Select ev from Entitlement_values ev where ev.entitlementtypekey.id = 1 and ev.entitlement_value = 'CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com'
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [56117]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [62496]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet after = [62496]
What does this mean? What do those keys refer to?
09/16/2024 05:19 PM
Did you ran detective rules job
09/16/2024 05:23 PM
We do not intend to run detective rules jobs as part of the implementation because that tends to bring down the application and impacts all other processes within Saviynt. As per Saviynt documentation, if a tech rule is configured as birthright and revoke birth access if condition fails is enabled, isn't the tech rule supposed to revoke the entitlement when the condition is not satisfied? We have seen this behaviour (removal of entitlements) in other technical rules but this technical rule is processed only when all the conditions are satisfied.
09/16/2024 05:25 PM
In the logs, I see an entry such as the below:
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-ent data not found for key 7123@#_#@1@#_#@CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com@#_#@
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-query = Select ev from Entitlement_values ev where ev.entitlementtypekey.id = 1 and ev.entitlement_value = 'CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com'
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [56117]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [62496]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet after = [62496]
What does this mean? What do those keys refer to?
09/16/2024 06:28 PM - edited 09/16/2024 07:56 PM
Does assignedfromrule is populated under account_entitlements1 table?
SELECT accentkey,
savaccess,
accountkey,
arstaskkey,
assignedfromcomprole,
assignedfromrole,
assignedfromroles,
assignedfromrule,
assignedfromchild,
enddate,
entitlement_valuekey
FROM account_entitlements1
WHERE accountkey = 111;
09/16/2024 07:01 PM
@vvnibm2002
Check this query to see if the ASSIGNEDFROMRULE is populated for the account.
select ACCENTKEY
SAVACCESS
ACCOUNTKEY
ARSTASKKEY
ASSIGNEDFROMCOMPROLE
ASSIGNEDFROMROLE
ASSIGNEDFROMROLES
ASSIGNEDFROMRULE
ASSIGNEDFROMCHILD
ENDDATE
ENTITLEMENT_VALUEKEY
from account_entitlements1
where assignedfromrule = <place the technical rule key >
and accountkey= <account key>
To get the association in to this table or populate the missing association.
Link: Repairing-Rule-User-Mappings
09/17/2024 07:48 AM
Hi @stalluri - the column ASSIGNEDFROMRULE is blank in the ae1 table. We have not enabled ARS yet for AD groups so there is no way that the entitlements are assigned to users outside of the policies. This is looking to be more like a product gap.
09/17/2024 08:25 AM - edited 09/17/2024 08:27 AM
@vvnibm2002
There are some issues regarding this and some gaps.
Try running the retrofit job. The value will be populated for the accounts. It will only populate the values for the entitlements that are part of the rules.
It will not populate the values if they are assigned as part of Import for entitlements that are not part of any rule/role.
If the association is not populated after the retrofit job, Create a ticket with Saviynt support.
09/17/2024 08:43 AM
It may be possible that your import job is failed and mapping is removed. Please run Repairing-Rule-User-Mappings mapping job to fix mapping
09/17/2024 09:47 AM
This does nothing when I trigger it from the technical rules. I just get this prompt.
09/17/2024 10:01 AM
Share job configuration and logs in text format
09/17/2024 01:20 PM
Hi @rushikeshvartak - What I am noticing is that when the subsequent HCM user import job runs to being the user details the second time onwards, it is clearing the assignedfromrules column and the tech rule corresponding to that entitlement_valuekey is not getting processed. When I run the retrofit job to repair the user to rules mapping, that entitlement_valuekey record in ae1 table is still not getting the assignedfromrules value. Is this a product bug then?
09/17/2024 01:24 PM
Its product bug please raise support ticket ,
09/17/2024 11:42 AM
When I configured a job to retrofit all rules in the job control panel and executed it, I could see that the account_entitlements1 table got updated with rule key in the assignedfromrules column. But when the same is done from the technical rules UI, nothing happens. I am now testing to see if that will fix the issue with the triggering of technical rules.
09/17/2024 06:46 PM
@vvnibm2002
Yes, you can do the same for all rules.
If you still having issue with populating the values in account_entitlements1, Create a support ticket.