and more in a single search tool across platforms. Read the announcement here. |
02/23/2024 06:57 AM
Hi everyone,
I'm currently facing the issue, that configured filters are not applied in User Update Rules.
In this case I'm trying to disable User Accounts, only when there is an active account (see Screenshot).
The next time a user fits the Query of the UUR, Disable Account Tasks get created, even though the AD Account is currently in status "Manually Provisioned" (The fact that status is a VARCHAR instead of a boolean is another rabbit hole for itself).
Do you have any guess, what I am doing wrong? I tried it with both approaches in the screenshot for the AD account and neither of them worked.
Cheers 🙂
02/23/2024 09:35 AM
Can you try this?
and accounts.status in (1,'Active')
02/23/2024 12:42 PM
and accounts.statuskey = '1'
Accounts table have status as column name
try accounts.status='1'
02/25/2024 11:34 PM
Hi @rushikeshvartak and hi @dgandhi,
I now tried the following setups:
It still does not work. To me it looks like the query I specify doe snot get added to the final SQL query (unsure if that should be the case):
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.525221973Z stdout F 2024-02-26 07:30:46,525 [quartzScheduler_Worker-3] DEBUG changeaction.UserChangeActionService - User List with Birthright access 0"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.537002851Z stdout F 2024-02-26 07:30:46,536 [quartzScheduler_Worker-3] DEBUG jobs.DetectiveProvisioningRulesJob - listofuser: [TestUser-C]"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.537016751Z stdout F 2024-02-26 07:30:46,536 [quartzScheduler_Worker-3] DEBUG changeaction.UserChangeActionService - Populating objlist with the hanarule action attributes"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.537079751Z stdout F 2024-02-26 07:30:46,537 [quartzScheduler_Worker-3] DEBUG changeaction.UserChangeActionService - objlist: [12###4###41, 12###6###41]"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.549100528Z stdout F 2024-02-26 07:30:46,549 [quartzScheduler_Worker-3] DEBUG saviynt.ImportExternalDbService - Final query to get accounts for disableUserAccounts::SELECT"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.549115828Z stdout F USER_ACCOUNTS.USERKEY,USER_ACCOUNTS.ACCOUNTKEY,ACCOUNTS.ENDPOINTKEY,ACCOUNTS.SYSTEMID"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.549122028Z stdout F FROM USER_ACCOUNTS,ACCOUNTS,USERS where USER_ACCOUNTS.ACCOUNTKEY=ACCOUNTS.ACCOUNTKEY AND USER_ACCOUNTS.USERKEY = USERS.USERKEY AND"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.549127028Z stdout F ( ACCOUNTS.ACCOUNTTYPE <> 'Service Account' OR ACCOUNTS.ACCOUNTTYPE is null )AND"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.549132428Z stdout F ACCOUNTS.STATUS in ('Manually Provisioned', '1' , 'Active') AND ACCOUNTS.ENDPOINTKEY IN (4) AND USER_ACCOUNTS.USERKEY IN"
"2024-02-26T07:30:47.143+00:00","ecm-worker","","null-q6n4c","","2024-02-26T07:30:46.549136528Z stdout F "
02/26/2024 12:37 AM
@Murmur may it will help to you
02/26/2024 02:43 AM
Hi @CR,
Thanks for your reply.
Unfortunately, this is a completely different issue.
I am able to disable accounts without any issue, but I can not use the additional filter on accounts (e.g. do not creat an Disable Account Task for accounts that are status='Manually Provisioned'.
02/26/2024 07:39 PM
and Accounts.status='1'
02/26/2024 10:01 PM
@rushikeshvartak - Still no luck with that
02/27/2024 12:58 AM
Hi @Murmur the OOTB inbuilt query by default checks for active accounts. Is there a reason you are again adding the condition in your disable account action?
02/27/2024 01:02 AM
Hi @naveenss,
Yes, I want to check for status='1' and not status in ('1', 'Manually Provisioned', ...)
In short, I need to exclude Accounts that are "Manually Provisioned", as the Detective Rule might else run Disable Account Task for an account, that was just provisioned (inactive) and hence offboard them (e.g. moving them to another OU, which I don't want to happen).
02/27/2024 01:12 AM
Thanks for the clarification @Murmur . May I ask you to delete the current rule and re-create with the below condition in your disable account action and see if the query is evaluated? (From the above conversations I don't see any config problem. But I want to check if it works after the rule is recreated)
and accounts.status!='Manually Provisioned'
02/27/2024 01:15 AM
Hi @naveenss,
Missed to add that, but I already tried that with the same result.
02/27/2024 01:22 AM
Thanks for the confirmation @Murmur . Request you to open a case with Saviynt support team for further troubleshooting.
02/27/2024 08:26 PM
which version of saviynt you have tried this >
02/28/2024 12:48 AM
v23.12 and v24.2
02/28/2024 10:02 PM
Raise support ticket