Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Suggestion in mover scenario for enterprise role

TheSaviyntBoy
Regular Contributor
Regular Contributor

‎06/02/2024 12:57 AM

Hi,

We have a requirement where we need to assign the AD groups according to the title of the employee(RBAC Model). We have created enterprise roles matching the titles and giving the roles dynamically in the technical roles while joining.

There are also conflicting titles: like the title names are same but the departments are different and the entitlements to assign are also different. To tackle this, only for the conflicting titles we used a CP5 to concat title - department and created the roles with the same names too.

We are facing issue when its mover scenario. The new roles are getting added according to the title but the previous roles aren't getting removed. What can be causing this issue?

Here is the tech rule:

TheSaviyntBoy_0-1717315032708.png

 

0 Kudos
16 REPLIES 16

NM
Honored Contributor II
Honored Contributor II

‎06/02/2024 05:24 AM

Hi @TheSaviyntBoy , please check if this config is ticked in global configuration 

Config Name: For Remove Birthright Task check if Access is Assigned From Rule

If not enable it and give it a try

0 Kudos

TheSaviyntBoy
Regular Contributor
Regular Contributor
In response to NM

‎06/02/2024 05:53 AM

Hi @NM, I don't see any checkbox or config with that name in global configuration. 

TheSaviyntBoy_0-1717332800785.png

Maybe the label is changed? Searching for it as well. 

0 Kudos

NM
Honored Contributor II
Honored Contributor II
In response to TheSaviyntBoy

‎06/02/2024 06:06 AM

Hi @TheSaviyntBoy , check under roles tab

0 Kudos

TheSaviyntBoy
Regular Contributor
Regular Contributor

‎06/02/2024 06:12 AM

Hi @NM, am I missing something?

TheSaviyntBoy_0-1717333923072.pngTheSaviyntBoy_1-1717333956419.pngTheSaviyntBoy_2-1717333969224.png

 

0 Kudos

NM
Honored Contributor II
Honored Contributor II

‎06/02/2024 07:24 AM - edited ‎06/02/2024 07:25 AM

@TheSaviyntBoy , check under rules tab of global configuration once.

0 Kudos

TheSaviyntBoy
Regular Contributor
Regular Contributor

‎06/02/2024 10:18 PM

Hi @NM, nothing related was found. 

TheSaviyntBoy_0-1717391871846.png

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to TheSaviyntBoy

‎06/03/2024 07:41 PM

Please share logs


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

stalluri
Valued Contributor
Valued Contributor
In response to TheSaviyntBoy

‎09/03/2024 08:35 AM

@TheSaviyntBoy 

  • Check if the assignedFromRule,assignedFromRole  and assignedFromRoles populated for the user account under accounts_entitlement1 table. (validate the data for few user, if the association are correctly populated. Where current assigned entitlement and previous have values present in the table for above-listed attributes)
  • If they are not present, try running the retrofit job to populate those values.
  1. https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter05-Policies/Repairing-Rule-U...
  2. https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter02-Identity-Repository/Repai...
  • After running these jobs, check if the association are getting populated. If they a populated then on the next run if the condition fails it will add access and remove access if condition fails.
  • If the issue still persists check with Saviynt support team if indexes are present for the accounts_entitlement1 table.
  • They can provide you some workarounds and solutions to populate those values.

 


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

vvnibm2002
New Contributor
New Contributor

‎09/03/2024 08:21 AM

Hi @TheSaviyntBoy - Did this issue get resolved? If so, can you please share the resolution because I am running into a similar issue with the roles configured in Saviynt.

0 Kudos

indra_hema_95
Regular Contributor III
Regular Contributor III
In response to vvnibm2002

‎09/03/2024 08:52 AM

Hi @vvnibm2002 He is actually from my team. To make it clear it didn't solve. We had multiple calls with Saviynt and we showcased this to them but no resolution we got. In our environment. 

Basically internally for the role which supposed to remove, for that associated entitlement remove access task is getting generated and completed but from user to role association it is not removing, means at the UI level it still shows the old role. 

What we also observed was if by any chance any of the user attributes get's updated again (which is nothing to do with roles) then the old role is getting removed.

Regards,

Indra 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to indra_hema_95

‎09/03/2024 08:53 AM

Old roles never gets removed this is current product limitation


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

indra_hema_95
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎09/03/2024 08:55 AM

Hi @rushikeshvartak ok, but from IAM perspective this is not right correct?

Regards,

Indra

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to indra_hema_95

‎09/03/2024 08:57 AM

This is not expected and idea is already raised 

https://ideas.saviynt.com/ideas/EIC-I-5078

https://ideas.saviynt.com/ideas/EIC-I-2392


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

vvnibm2002
New Contributor
New Contributor

‎09/03/2024 08:56 AM - edited ‎09/03/2024 08:56 AM

Thanks Indra. This is exactly what I am also seeing in v24.2 and v24.5. When the issue was first reported in v24.2, we were asked to upgrade to v24.5. But the issue still remains in v24.5. The end result is that Saviynt shows that the user accumulates roles during the various moves that the user makes in the organization. Another use case that is impacting is that the enterprise roles are not getting deprovisioned by the user update rule when statuskey = 0 even though there is an option configured in the user update rule to deprovision the role. One behavior of Saviynt that I noticed is that any actions configured after "Deprovision Role" are not being executed by Saviynt and therefore Deprovision Role has to be the last action to be configured in the user update rule. This issue was observed in v24.2 for which the upgrade was done to v24.5 but the issue still persists.

0 Kudos

indra_hema_95
Regular Contributor III
Regular Contributor III
In response to vvnibm2002

‎09/03/2024 09:05 AM

@vvnibm2002 Yes correct. The ideas already raised it seems, which is shared by Rushi. Please open that and take a look and give the vote, so that this gets accepted by Saviynt to do the fix.

Regards,

Indra

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to indra_hema_95

‎09/03/2024 09:16 AM

Share to Saviynt team and work with CSM to prioritize 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC