Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/11/2024 08:43 PM - edited 10/11/2024 08:44 PM
Important context for this entire post: I am an administrator of the Saviynt instance that I am experiencing issues with. I am also relatively new to the product and do not have much experience debugging it.
I have created an Enterprise role that provides an entitlement for a particular service that I am attempting to integrate with Saviynt. When I initially add a user to the role, the expected provisioning tasks are created, and I can execute them. However, I have noticed two issues.
Issue #1: I am unable to remove a user without first removing all entitlements from the role. When there are entitlements attached to the role, I receive a "role request submitted with requestID- []" message, which doesn't mean much to me.
I don't see any new requests or pending tasks, and no changes are made to the user's account for the service/endpoint. If it matters, the account is flagged as "manually provisioned" due to the way I'm conducting my tests.
After removing all entitlements from the role, I can remove the user as usual, and all the proper tasks get generated.
Issue #2: Sometimes, when I attempt to add a user to the role, the request is automatically rejected. I do not know what conditions are necessary for this to happen, but the issue seems to only occur when I attempt to add my secondary testing user while the role has my custom entitlement attached.
Currently, the "Roles Add Workflow" is set to "AutoApprove", and I can't find anything that explains why the request would be automatically rejected. When I look into the task history for the rejected request, it actually looks like it was approved, and yet no provisioning tasks were generated and the entire request is simply "rejected".
I would appreciate any tips for diagnosing (and hopefully fixing) these two problems. I am really at wit's end after spending hours trying to get this seemingly simple thing to work reliably.
Thanks!
Solved! Go to Solution.
10/12/2024 08:25 AM
I think I've found solutions to both of my issues, but I would still appreciate any explanation of the behavior I observed.
Issue #1 appears to have been caused by a lack of "Roles Remove Workflow". After setting a workflow, I got a much less cryptic message (including an actual request ID) when removing a user, and a task to remove access was generated as expected. However, since my role is intended to be managed automatically, I'm not sure this "solution" is ideal.
It seems like issue #2 may have been caused by a leftover account that was not properly deprovisioned. I wrote a custom query to rename and suspend each account tied to the endpoint, and then I was able to add my test user again.
10/12/2024 09:14 AM
10/12/2024 02:16 PM
Thank you @rushikeshvartak. Is there any documentation you're aware of that explains these "rules", or are they just undocumented details that administrators like me need to remember?
I also don't understand why a role removal workflow is seemingly only necessary for roles that have entitlements. Do workflows simply not get triggered for roles with no entitlements? Is this documented anywhere?
10/13/2024 09:27 PM
This is documented on like. each use case is not documented hence you can add your feedback to documentation and documentation team will update missing details if any