We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Unable to Remove Inactive User from Role using API

robcivitello
New Contributor III
New Contributor III

Hello - We have a large number of inactive users with Enterprise roles assigned to them (because of a previous issue) and are trying to clean them up. We are able to manually remove the role from the user via the UI but the createrequest API fails with a message that the user cannot be found.  We have thousand of users to remove so really need to be able to script this out.  

Is there an argument that can be passed into the API to include inactive users?

Example of the attempted request and response:

robcivitello_0-1689359578779.png

 

5 REPLIES 5

armaanzahir
Valued Contributor
Valued Contributor

Hi @robcivitello ,

You may not be able to achieve this using the createrequest or the removerole api as they seem to not be working on inactive users.

The workaround for this would be to create an actionable analytic to remove the roles from these inactive identities.

armaanzahir_0-1689590954645.png

select r.ROLE_NAME,u.username as name, rua.ROLEKEY as roleKey,rua.ACCOUNTKEY as acctKey, u.USERKEY as userKey,'Deprovision Role' as 'Default_Action_For_Analytics' from role_user_account rua join user_accounts ua on ua.ACCOUNTKEY=rua.ACCOUNTKEY join users u on u.USERKEY = ua.USERKEY join roles r on r.ROLEKEY = rua.ROLEKEY where r.STATUS=1 and u.statuskey=0;

You may modify the above query to fetch results only for the userset desired by adding those conditions. 

Actioning on this analytic will directly de provision the role without creating the request. The audit information would be available in this analytic though.

Ref: Configuring Allowed Actions (saviyntcloud.com)

Thanks,

Armaan

 

 

 

Regards,
Md Armaan Zahir

robcivitello
New Contributor III
New Contributor III

Thanks, we will give this a try. Would you consider the fact that the remove user from role API doesn't work for inactives a defect or something that should be submitted as an enhancement?

Hi @robcivitello ,

Yes, the create request and the remove role api does not raise the request for inactive users.

Screenshot 2023-07-17 195452.png

It's not a defect but more of a limitation. Better to raise an enhancement for this on ideas portal (https://ideas.saviynt.com/). If an actionable analytic enables you to do this, the remove role api should also allow it. 

Thanks,

Armaan

Regards,
Md Armaan Zahir

Hello - I tried the suggested solution and it did not work.  First, i noticed that the query is joining on acctkey but in our cases the users often don't have accounts.  The issue we're trying to clean up is that Saviynt is not always removing roles when they should be. In many cases some or all of the accounts tied to the roles are removed but the role itself is still assigned.

I updated the query to join to rua on userkey instead of acctkey and removed the reference to the user_accounts table.  The analytic query runs and i am able to enter the deProvision Role action but the role does not get removed.  

Does the deprovision role action only work when accounts are present?

select rua.ROLEKEY as roleKey,rua.ACCOUNTKEY as acctKey, rua.USERKEY as userKey,'Deprovision Role' as 'Default_Action_For_Analytics' from role_user_account rua 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.