Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Unable to provision logical application to users with an account in parent endpoint

SUMAIYA_BABU
Regular Contributor
Regular Contributor

We have a few logical application created under Active Directory - say app1, app2. Active Directory is a birthright application for all users whereas app1 and app2 are request based.

Expected Behavior : When a user(who already has an account in Active Directory) requests for the logical application app1, the expectation is the new account task to auto complete since there is already an existing account in the parent endpoint(Active Directory). 

Actual Behavior: When a user (who already has an account in Active Directory) requests for the logical application app1, saviynt tries to create a new account and it fails because there is already an account already existing account in the parent endpoint(Active Directory). 

Analysis: We cannot use 'Entitlements Only' option in the 'Create Task Action' configuration at the security system because we have to trigger emails on AD account creation on birthright.

We also tried the option to complete the New Account task for app1 manually or through an extension query job, and then process the Add Access tasks - but in this case, we see an error 'WILL NOT PERFORM' for such tasks.

We have verified the account name rule for the AD and app1 are same.

 

9 REPLIES 9

rushikeshvartak
All-Star
All-Star

You need to use entitlementsOnly and what is your account name rule in parent in child ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SUMAIYA_BABU
Regular Contributor
Regular Contributor

@rushikeshvartak I cant use Entitlements Only  because I need to trigger emails for New Account in case of birthright for AD. 

Account name rule is same for parent and logical endpoint - email

Birthright will be there with entitlement u can send email based on birthright ent email


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Share both endpoint configuration screenshot


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

You can add if else block if you want to split email based on birthright vs ars request using task.source variable 

  • PROVRULE
  • ZERODAY
  • REQUEST

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

SUMAIYA_BABU
Regular Contributor
Regular Contributor

But in that case, it will sent emails on request based access provisionings as well, which we do not want. Also, I have emails to be trggered on account enable as well.

  • You can add arstasks.source condition

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

@rushikeshvartak Do you mean add condition in email template? Can you please explain?

dgandhi
All-Star
All-Star

You can discontinue such task using enhance query job.

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.