Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Technical Rule creates new Account Task if user has inactive account

Chamundeeswari
New Contributor III
New Contributor III

Hi,

We have a use case where, whenever a user goes on leave, the account is disabled and when he returns, the account is enabled again and all rules are run to check for missing accesses. We have technical rule that creates an account and adds accesses when a new user joins the company. The same rule is also checked when the user comes back from leave, to check if any of the accesses are missing. However, when the user returns from Leave, Saviynt is creating a "New Account" task and trying to add all accesses to this new account. Our expectation is, it only creates "Add Access" tasks and a separate rule will enable the account. What is causing Saviynt to create "New Account" tasks when the user already has an inactive correlated account in the same user?

Please note that, in the technical rule, the "Birthright" and "Detective" is unchecked.

Thanks and Cheers!

8 REPLIES 8

NM
Honored Contributor II
Honored Contributor II

Hi @Chamundeeswari you can try by enabling the option in endpoint 

Disable new account if account already exist and give it a shot.

Otherwise another possible option is to have to rules ..

In the case of a user profile creation have a seperate technical rule which creates an account and add all those access.

2) in the case of rehire use a different technical rule with just add access tasks.

Another thing is the account name different for which saviynt is trying to create account?

Chamundeeswari
New Contributor III
New Contributor III

Hi @NM

1. We already have "Disable new account if account already exists" enabled.

2. We are calculating a custom status which sets the value "ACTIVE" both when on user's start date, and when the user comes back from leave. So, we cannot create a separate rule. Even if we do, both rule will check for "ACTIVE" status.

3. Yes, account name is different. Reason being, customer used a different rule for accountNames before and now we have a different rule for all new accounts.

NM
Honored Contributor II
Honored Contributor II

@Chamundeeswari different account name might be a possible issue.

Do you have any other while which will seperate new hire from rehire .. which can be added as another identifying factor.

Chamundeeswari
New Contributor III
New Contributor III

We are already in production and hence trying to find a better and quick solution. This behaviour is not always observed in Saviynt. And our previous customers had similar setup without issues. Hence, is there any other setting that could help with not creating new account tasks if user already exists ?

@Chamundeeswari , do you have ALL or INACTIVE selected in the account name rule for the endpoint?

Amit_Malik_0-1727867343078.png

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

Chamundeeswari
New Contributor III
New Contributor III

I have "All" in the "Check Unique Account".

Chamundeeswari_0-1727870794222.png

 

NM
Honored Contributor II
Honored Contributor II

@Chamundeeswari keep the value only to inactive and manually suspended.

Chamundeeswari
New Contributor III
New Contributor III

 

Thanks! We will test it out and let you know!