05/10/2023 06:33 AM
hi,
we are creating our termination process through the user update rules. our requirement is to disable account and remove access on 0 day. Then after 20 days we will delete the account. I added a screenshot below of what we have configured. On birthright, users are getting an enterprise role which assigns this account and gives the accesses.
Our issue is that even when I set remove account to 20 days, it triggers on day 0. Or if I completely remove the deprovision account action from the user update rule, Saviynt is creating 'remove account' tasks anyway.
Is there something missing? How can I stop the remove account tasks from being created? Or triggering when they are not supposed to?
Thank you!
05/10/2023 09:41 AM
Hi,
The task would be created on Day0 but it wont be picked by the provisioning job as the startdate of the task would be future Day0 +20 in your case.
On day 20 , the provisioning job will pick up till task.
Till that time the task will remain in pending state.
Check startdate field in the arstasks table, it will give you more idea.
Thanks
05/10/2023 12:17 PM
Thanks for your response, @dgandhi.
Hi @sab2
If the tasks are getting provisioned on day '0' instead of day '20', can you try to update the rule with the only action below and see if it is working as expected? i.e. the behavior should be as mentioned by @dgandhi.
This is because, in your current rule, you are already disabling the user on day '0' and with this action, the respective user's accounts/access also get disabled on day '0'
05/10/2023 01:17 PM
hi,
Yes, so when the only action in the termination user update rule is 'deprovision access' 'accounts only' this is working successfully. The pending tasks are created but not deprovisioning the account.
However, it only created remove account tasks so all the accounts and access remain active for the user.
When I made the rule only, deprovision account and disable accounts. It is working successfully such as the account is disabled and the remove account stayed pending but it does not remove the users access.
When I made the rule deprovision account, disable accounts and deprovision access, it fails again. As in the remove account is immediately deprovisioned.
Thank You
05/10/2023 04:11 PM
Thanks for your validation @sab2
Considering the rule with only the de-provision account and disable accounts is working as expected.
Can I ask for the need to de-provision access when the account is already in a disabled state?