Click HERE to see how Saviynt Intelligence is transforming the industry.
|
Click HERE to see how Saviynt Intelligence is transforming the industry.
|
Hi. We have two user update rules that trigger on user termination, one of which SHOULD just generate a remove account task and no remove access tasks as shown here:
The other rule performs the following actions
The remove access tasks generate properly only when the rule that generates the remove account task is disabled.
If both rules are enabled the update rule that should only trigger a remove account task ends up doing two things:
1 - It generates a remove access task for a role/technical rule that is configured to not remove access if birthright condition fails.
2 - All remove access tasks get set to process one day in the future which is only configured in the remove account user update rule as shown above.
Why is the task delay bleeding over into the tasks generated by other user update rules? And why is it generating a remove access task for an entitlement that is configured to not be removed? I have confirmed in both the disableAccountJson and the removeAccountJSON on the AD connection do not have any group removal configs in place.
We split these rules into two initially because we saw the same thing happening with that remove account option causing all remove access tasks to get a 1 day delay. The fact that even though its now in its own rule but is affecting other tasks generated by different rules is causing issues.
