We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

User update rule "execute on" not working properly

Caesrob
Regular Contributor
Regular Contributor

We use user update rules to check if accounts and access needs to be deprovisioned and if the users needs to be disabled.

The user update rule should go as follows: Disable user, disable user accounts (immediately), deprovision access from accounts (immediately) and deprovision account (in 90 days).

Caesrob_0-1687161048519.png

When this user update rule triggers for a user, all tasks are created. But when we look at the start date of these tasks, we see that the deprovision access tasks are the same start date as the deprovision account task (90 days). The disable account task start date is correct (the same day).

Can anyone tell us why the deprovision access and deprovision account tasks are the same start date when we explicitly stated that ONLY the deprovision account task should be started in 90 days?

We have also tried adding "0 days" to the deprovision access action, but this did not change anything.

14 REPLIES 14

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Caesrob,

This is the expected behavior. When we generate future-dated tasks based on rules, the tasks will be initially created on the same day.
However, Saviynt will not process these tasks until the 90-day window has elapsed, even if the provisioning jobs are executed before that time.

Thanks,

This is exactly the problem we are having though. When I execute these tasks by running a provisioning job, all tasks are executed including the remove account task. There is no 90 day delay on this.

We have also tried re-arranging these tasks so the deprovision account task in 90 days comes first and then the deprovision access task immediately. What this does is set the deprovision of access task on 90 days as well. the disable user account task stays immediate.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Caesrob,

Did you try to put Both rules separately and try?

Thanks,

Yes, this works. But we would like it to be 1 rule and not 2 seperate rules. we don't see how this could be an issue.

saipraveengv
New Contributor III
New Contributor III

I have configured the same (both in same rule) in my environment and it works pretty fine. I don't think that would be a issue. 

saipraveengv
New Contributor III
New Contributor III

HI @Caesrob,

Can you run select taskdate,startdate from arstasks where taskkey in () and share the output for the both disable account and remove access tasks

Caesrob
Regular Contributor
Regular Contributor

Sure, here is the output. Task 870 is the disable account task, tasks 871-875 are the access removal tasks, task 876 is the account remove task.

Caesrob_0-1687173061048.png

 

saipraveengv
New Contributor III
New Contributor III

Hi @Caesrob ,

Except task 870 all other tasks will be executed after 90 days. It is fine. What is the issue you are seeing. Tasks get processed based on the startdate. 

Caesrob
Regular Contributor
Regular Contributor

That IS the issue... The remove access tasks should get executed immediately but the remove account task should be executed after 90 days.

saipraveengv
New Contributor III
New Contributor III

Got it. This is a bug. Rule is taking both account and access as one and creating tasks. 

Workaround would be use two different rules

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Caesrob ,

We are currently conducting internal checks, and for now, you may need to utilize two separate rules for your specific use case.

Thanks.

shibinvpkvr
Regular Contributor II
Regular Contributor II

@sudeshjaiswal I have a follow-up question on the Execute On use case. We have configured the rule to disable the account immediately and remove account after 30 days per requirement. However what if the user got rehired within 30 days, does that task need to be discontinued manually? 

Yes, the task would need to be manually discontinued in such a case. Better to have a separate trigger event that calls the rules for remove account as well on the 30th day.

Thanks

Regards,
Md Armaan Zahir

shibinvpkvr
Regular Contributor II
Regular Contributor II

yes thanks! thought so. I believe Actionable Analytics may be a good option to do this.