Click HERE to see how Saviynt Intelligence is transforming the industry. |
06/02/2024 12:57 AM
Hi,
We have a requirement where we need to assign the AD groups according to the title of the employee(RBAC Model). We have created enterprise roles matching the titles and giving the roles dynamically in the technical roles while joining.
There are also conflicting titles: like the title names are same but the departments are different and the entitlements to assign are also different. To tackle this, only for the conflicting titles we used a CP5 to concat title - department and created the roles with the same names too.
We are facing issue when its mover scenario. The new roles are getting added according to the title but the previous roles aren't getting removed. What can be causing this issue?
Here is the tech rule:
06/02/2024 05:24 AM
Hi @TheSaviyntBoy , please check if this config is ticked in global configuration
Config Name: For Remove Birthright Task check if Access is Assigned From Rule
If not enable it and give it a try
06/02/2024 05:53 AM
Hi @NM, I don't see any checkbox or config with that name in global configuration.
Maybe the label is changed? Searching for it as well.
06/02/2024 06:06 AM
Hi @TheSaviyntBoy , check under roles tab
06/02/2024 06:12 AM
06/02/2024 07:24 AM - edited 06/02/2024 07:25 AM
@TheSaviyntBoy , check under rules tab of global configuration once.
06/02/2024 10:18 PM
06/03/2024 07:41 PM
Please share logs
09/03/2024 08:35 AM
09/03/2024 08:21 AM
Hi @TheSaviyntBoy - Did this issue get resolved? If so, can you please share the resolution because I am running into a similar issue with the roles configured in Saviynt.
09/03/2024 08:52 AM
Hi @vvnibm2002 He is actually from my team. To make it clear it didn't solve. We had multiple calls with Saviynt and we showcased this to them but no resolution we got. In our environment.
Basically internally for the role which supposed to remove, for that associated entitlement remove access task is getting generated and completed but from user to role association it is not removing, means at the UI level it still shows the old role.
What we also observed was if by any chance any of the user attributes get's updated again (which is nothing to do with roles) then the old role is getting removed.
Regards,
Indra
09/03/2024 08:53 AM
Old roles never gets removed this is current product limitation
09/03/2024 08:55 AM
09/03/2024 08:57 AM
This is not expected and idea is already raised
https://ideas.saviynt.com/ideas/EIC-I-5078
https://ideas.saviynt.com/ideas/EIC-I-2392
09/03/2024 08:56 AM - edited 09/03/2024 08:56 AM
Thanks Indra. This is exactly what I am also seeing in v24.2 and v24.5. When the issue was first reported in v24.2, we were asked to upgrade to v24.5. But the issue still remains in v24.5. The end result is that Saviynt shows that the user accumulates roles during the various moves that the user makes in the organization. Another use case that is impacting is that the enterprise roles are not getting deprovisioned by the user update rule when statuskey = 0 even though there is an option configured in the user update rule to deprovision the role. One behavior of Saviynt that I noticed is that any actions configured after "Deprovision Role" are not being executed by Saviynt and therefore Deprovision Role has to be the last action to be configured in the user update rule. This issue was observed in v24.2 for which the upgrade was done to v24.5 but the issue still persists.
09/03/2024 09:05 AM
@vvnibm2002 Yes correct. The ideas already raised it seems, which is shared by Rushi. Please open that and take a look and give the vote, so that this gets accepted by Saviynt to do the fix.
Regards,
Indra
09/03/2024 09:16 AM
Share to Saviynt team and work with CSM to prioritize