We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Setting Create Task Action to EntitlementsOnly for AD

IAM
New Contributor III
New Contributor III

For our AD Security system, we were looking into setting Create Task Action to EntitlementsOnly. If I enable this, will this cause any other issues? For AD nobody can request an account but they have their accounts provisioned through a technical rule for birthright. I'm not sure if EntitlementsOnly will effect that as well?

We also have many endpoints under AD. When a user requests access to these applications, it will normally create a new account task (even though they have an account in AD) and an add access task. When I turn this on, it only creates an Add Access task, is that fine?

5 REPLIES 5

sk
All-Star
All-Star

@IAM : Enabling this setting will work as below.

  1. It will not create separate task for new account upon requesting an entitlement on respective endpoint
  2. But if user didn't have an account on respective endpoint it will internally tries to provision the account(though there is not separate task created)

Point to be noted is, Incase if user submitted request only for account(without selecting entitlement) then that request won't get processed as it will not create any task in such scenario.

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

IAM
New Contributor III
New Contributor III

Hi sk, thank you for the quick response.

For my case AD is given upon birthright so nobody should ever need to request an account. In my case you don't see any issues with this? No issues with autoprovisioning accounts using technical rules?

The reason why I would like to enable this is because of the way this customer has their workflow. The level 2 approver is listed in the entitlement.CP5. This causes issues because for the new account task, there is no level 2 approver since it's only listed in the entitlement CP so the account gets stuck with the manager not moving forward. This is for AD endpoints only so I would never need users to request an account, only entitlements.

@IAM : It shouldn't have any issues as long as you don't have account only requests. But I would still suggest to validate all your use cases to see if anything else is breaking.

Also you can modify the workflow to detect account only requests and send it to only manager approval or auto approval based on your requirement so that you will not face that issue using below condition in your workflow before sending it to 2nd level approval

ars_requests.requesttype == 3 and entitlement.entitlement_value == null

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Mukul
New Contributor II
New Contributor II

Hi @sk  ,

Just following up on this discussion. We have an app where user may raise an entitlement request without account being provisioned initially. and hence , if we don't set Create Task Action we may run into issue where entitlement task is triggered before account and fail. Now we enabled Create Task Action but now if the account is being provisioned via update rule it fails as there is no account task created

Whats the best way to deal with this?

 

Remove entitlementsOnly


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.