We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Termination User Update Rule

sab2
Regular Contributor
Regular Contributor

hi,

we are creating our termination process through the user update rules. our requirement is to disable account and remove access on 0 day. Then after 20 days we will delete the account. I added a screenshot below of what we have configured. On birthright, users are getting an enterprise role which assigns this account and gives the accesses.

Our issue is that even when I set remove account to 20 days, it triggers on day 0. Or if I completely remove the deprovision account action from the user update rule, Saviynt is creating 'remove account' tasks anyway.

Is there something missing? How can I stop the remove account tasks from being created? Or triggering when they are not supposed to?

sab2_0-1683725521545.png

 

Thank you!

4 REPLIES 4

dgandhi
All-Star
All-Star

Hi,

The task would be created on Day0 but it wont be picked by the provisioning job as the startdate of the task would be future Day0 +20 in your case.

On day 20 , the provisioning job will pick up till task.

Till that time the task will remain in pending state.

Check startdate field in the arstasks table, it will give you more idea.

Thanks

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

timchengappa
Saviynt Employee
Saviynt Employee

Thanks for your response, @dgandhi.

Hi @sab2 

If the tasks are getting provisioned on day '0' instead of day '20', can you try to update the rule with the only action below and see if it is working as expected? i.e. the behavior should be as mentioned by @dgandhi.   

Screen Shot 2023-05-10 at 12.12.15 PM.png

This is because, in your current rule, you are already disabling the user on day '0' and with this action, the respective user's accounts/access also get disabled on day '0'

sab2
Regular Contributor
Regular Contributor

hi,

Yes, so when the only action in the termination user update rule is 'deprovision access' 'accounts only' this is working successfully. The pending tasks are created but not deprovisioning the account.

However, it only created remove account tasks so all the accounts and access remain active for the user.

When I made the rule only, deprovision account and disable accounts. It is working successfully such as the account is disabled and the remove account stayed pending but it does not remove the users access.

When I made the rule deprovision account, disable accounts and deprovision access, it fails again. As in the remove account is immediately deprovisioned. 

Thank You

timchengappa
Saviynt Employee
Saviynt Employee

Thanks for your validation @sab2 

Considering the rule with only the de-provision account and disable accounts is working as expected.
Can I ask for the need to de-provision access when the account is already in a disabled state?