Saviynt Forums

ktkaufman · ‎10/11/2024

Important context for this entire post: I am an administrator of the Saviynt instance that I am experiencing issues with. I am also relatively new to the product and do not have much experience debugging it.

I have created an Enterprise role that provides an entitlement for a particular service that I am attempting to integrate with Saviynt. When I initially add a user to the role, the expected provisioning tasks are created, and I can execute them. However, I have noticed two issues.

Issue #1: I am unable to remove a user without first removing all entitlements from the role. When there are entitlements attached to the role, I receive a "role request submitted with requestID- []" message, which doesn't mean much to me.

I don't see any new requests or pending tasks, and no changes are made to the user's account for the service/endpoint. If it matters, the account is flagged as "manually provisioned" due to the way I'm conducting my tests.

After removing all entitlements from the role, I can remove the user as usual, and all the proper tasks get generated.

Issue #2: Sometimes, when I attempt to add a user to the role, the request is automatically rejected. I do not know what conditions are necessary for this to happen, but the issue seems to only occur when I attempt to add my secondary testing user while the role has my custom entitlement attached.

Currently, the "Roles Add Workflow" is set to "AutoApprove", and I can't find anything that explains why the request would be automatically rejected. When I look into the task history for the rejected request, it actually looks like it was approved, and yet no provisioning tasks were generated and the entire request is simply "rejected".

I would appreciate any tips for diagnosing (and hopefully fixing) these two problems. I am really at wit's end after spending hours trying to get this seemingly simple thing to work reliably.

Thanks!

ktkaufman · ‎10/12/2024

I think I've found solutions to both of my issues, but I would still appreciate any explanation of the behavior I observed.

Issue #1 appears to have been caused by a lack of "Roles Remove Workflow". After setting a workflow, I got a much less cryptic message (including an actual request ID) when removing a user, and a task to remove access was generated as expected. However, since my role is intended to be managed automatically, I'm not sure this "solution" is ideal.

It seems like issue #2 may have been caused by a leftover account that was not properly deprovisioned. I wrote a custom query to rename and suspend each account tied to the endpoint, and then I was able to add my test user again.

rushikeshvartak · ‎10/12/2024

Issue #1: You need to attach workflow under global configuration.if you don't need approval attach auto approval workflow https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter06-EIC-Configurations/Config...
issue #2 - Account Name should be unique. and name should be changed automatically once user has been deleted from target.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ktkaufman · ‎10/12/2024

Thank you @rushikeshvartak. Is there any documentation you're aware of that explains these "rules", or are they just undocumented details that administrators like me need to remember?

I also don't understand why a role removal workflow is seemingly only necessary for roles that have entitlements. Do workflows simply not get triggered for roles with no entitlements? Is this documented anywhere?

rushikeshvartak · ‎10/13/2024

This is documented on like. each use case is not documented hence you can add your feedback to documentation and documentation team will update missing details if any

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

Strange interaction between role entitlements and users