Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Saviynt unable to process technical rules

vvnibm2002
New Contributor
New Contributor

I have a technical rule as follows:

a.employeeType in ('EMP') and a.systemUserName is not null and a.statuskey = 1 and (a.customproperty26 in ('300000015225007', '300000015224271', '300000015210622', '300000014030712', '300000014030375', '300000015210603', '300000015209112', '300000015223675', '300000306493750') or a.customproperty27 in ('Facilities', 'MOW Capital Projects', 'Engineering Operations', 'Design Construction & Capacity', 'Engineering Ldshp', 'Maintenance of Way - North', 'Maintenance of Way - South', 'Communication & Signals', 'Comms, Signals & PTC Systems', '550 Water Street Corporate Facilities', 'COLOCATION FACILITY SERVICES')) and a.customproperty2 not in ('Retiree','Severance') and a.customproperty14 not in ('XXXXX_DISMISS_PAY')

If the conditions of the technical rule are satisfied, the user will be added to the group CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=xxx,DC=com

The below checkboxes are enabled for the rule:

vvnibm2002_0-1726530261729.png

 

This technical rule is triggered from a user update rule configured as follows (trigger action is when user is updated from UI):

vvnibm2002_1-1726530295856.png

An active user has got the group provisioned because the CP26 criteria was met and all other conditions satisfied successfully. When I change CP26 from 300000306493750 to 300000014585294, the user update rule is triggered but the technical rule is not processed to remove the user from the group.

This is what I see in the user update history:

vvnibm2002_0-1726530536401.png

 

Can someone point if there is an issue in the configuration or if this is a product issue? Why would the technical rule not get processed to deprovision the user from the group? I have already opened a support ticket for this inquiry.

In the logs, I see an entry such as the below:

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-ent data not found for key 7123@#_#@1@#_#@CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com@#_#@

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-query = Select ev from Entitlement_values ev where ev.entitlementtypekey.id = 1 and ev.entitlement_value = 'CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com'

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [56117]

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [62496]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet after = [62496]

What does this mean? What do those keys refer to?

14 REPLIES 14

rushikeshvartak
All-Star
All-Star

Did you ran detective rules job


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

We do not intend to run detective rules jobs as part of the implementation because that tends to bring down the application and impacts all other processes within Saviynt. As per Saviynt documentation, if a tech rule is configured as birthright and revoke birth access if condition fails is enabled, isn't the tech rule supposed to revoke the entitlement when the condition is not satisfied? We have seen this behaviour (removal of entitlements) in other technical rules but this technical rule is processed only when all the conditions are satisfied.

vvnibm2002
New Contributor
New Contributor

In the logs, I see an entry such as the below:

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-ent data not found for key 7123@#_#@1@#_#@CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com@#_#@

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-query = Select ev from Entitlement_values ev where ev.entitlementtypekey.id = 1 and ev.entitlement_value = 'CN=AD.NonProd.Client.Mel.User,OU=OIDC,OU=HVT,DC=xxxtlab,DC=adlab,DC=xxx,DC=com'

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [56117]

2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet before = [62496]
2024-09-16T18:54:33-05:00-ecm-worker-changeaction.UserChangeActionService-quartzScheduler_Worker-11-nqsg4-DEBUG-entValueSet after = [62496]

What does this mean? What do those keys refer to?

Does assignedfromrule is populated under account_entitlements1 table?

SELECT accentkey,
       savaccess,
       accountkey,
       arstaskkey,
       assignedfromcomprole,
       assignedfromrole,
       assignedfromroles,
       assignedfromrule,
       assignedfromchild,
       enddate,
       entitlement_valuekey
FROM   account_entitlements1
WHERE  accountkey = 111; 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

stalluri
Valued Contributor II
Valued Contributor II

@vvnibm2002 
Check this query to see if the ASSIGNEDFROMRULE is populated for the account.

select ACCENTKEY
SAVACCESS
ACCOUNTKEY
ARSTASKKEY
ASSIGNEDFROMCOMPROLE
ASSIGNEDFROMROLE
ASSIGNEDFROMROLES
ASSIGNEDFROMRULE
ASSIGNEDFROMCHILD
ENDDATE
ENTITLEMENT_VALUEKEY 
from account_entitlements1 
where assignedfromrule = <place the technical rule key >
and accountkey= <account key>

Screenshot 2024-09-16 at 8.54.15 PM.png


To get the association in to this table or populate the missing association.
Link: Repairing-Rule-User-Mappings 


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @stalluri - the column ASSIGNEDFROMRULE is blank in the ae1 table. We have not enabled ARS yet for AD groups so there is no way that the entitlements are assigned to users outside of the policies. This is looking to be more like a product gap.

stalluri
Valued Contributor II
Valued Contributor II

@vvnibm2002 
There are some issues regarding this and some gaps.
Try running the retrofit job. The value will be populated for the accounts. It will only populate the values for the entitlements that are part of the rules. 
It will not populate the values if they are assigned as part of Import for entitlements that are not part of any rule/role.

If the association is not populated after the retrofit job, Create a ticket with Saviynt support.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

It  may be possible that your import job is failed and mapping is removed. Please run Repairing-Rule-User-Mappings  mapping job to fix mapping


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

This does nothing when I trigger it from the technical rules. I just get this prompt.

vvnibm2002_0-1726591637544.png

 

Share job configuration and logs in text format


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi @rushikeshvartak - What I am noticing is that when the subsequent HCM user import job runs to being the user details the second time onwards, it is clearing the assignedfromrules column and the tech rule corresponding to that entitlement_valuekey is not getting processed. When I run the retrofit job to repair the user to rules mapping, that entitlement_valuekey record in ae1 table is still not getting the assignedfromrules value. Is this a product bug then?

Its product bug please raise support ticket ,


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

vvnibm2002
New Contributor
New Contributor

When I configured a job to retrofit all rules in the job control panel and executed it, I could see that the account_entitlements1 table got updated with rule key in the assignedfromrules column. But when the same is done from the technical rules UI, nothing happens. I am now testing to see if that will fix the issue with the triggering of technical rules.

stalluri
Valued Contributor II
Valued Contributor II

@vvnibm2002 

Yes, you can do the same for all rules.
If you still having issue with populating the values in account_entitlements1, Create a support ticket.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.