We had AD group membership granted to employees using legacy IAM platform. When Saviynt replaced the legacy platform, we were able to reconcile AD group membership as entitlements on user's AD account.
We are noticing that these entitlements are not evaluated and remove access tasks are not triggered when technical rule conditions are not met. We do have 'Birthright' and 'Remove Birthright if conditions fail' checkboxes selected on technical rules. It is logical because Saviynt did not grant that access as birthright.
While going through the following documentation, it seems like Upgrade Job has been designed specifically for this purpose.
Does anyone have experience with it? Can you share some tips?
Does anyone have other thoughts on how to handle legacy access that was not provisioned through Saviynt?
Hi @PRana ,
We recommend conducting testing for this(Upgrade Job) in a lower-tier environment. Please ensure the data in this environment is sanitized, and no concurrent background processes/Jobs are running during your testing phase.Please validate and let us know if further details are needed on this.
I followed the documentation and ran the upgrade job with following upgrade types sequentially. The jobs completed successfully. However, it did not make legacy access eligible for evaluation by technical rules.
Upgrade Job sequence - Backup Account Entitlements Data, Evaluate Missing Rule Data, Update Accounts Entitlements with Evaluated Data, Remove Temp tables created in upgrade, Remove Account Entitlements DataBackup