Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User update rule "execute on" not working properly

Go to solution
Caesrob
Regular Contributor
Regular Contributor

‎06/19/2023 12:56 AM

We use user update rules to check if accounts and access needs to be deprovisioned and if the users needs to be disabled.

The user update rule should go as follows: Disable user, disable user accounts (immediately), deprovision access from accounts (immediately) and deprovision account (in 90 days).

Caesrob_0-1687161048519.png

When this user update rule triggers for a user, all tasks are created. But when we look at the start date of these tasks, we see that the deprovision access tasks are the same start date as the deprovision account task (90 days). The disable account task start date is correct (the same day).

Can anyone tell us why the deprovision access and deprovision account tasks are the same start date when we explicitly stated that ONLY the deprovision account task should be started in 90 days?

We have also tried adding "0 days" to the deprovision access action, but this did not change anything.

1 person had this problem.
Labels:
0 Kudos
14 REPLIES 14

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎06/19/2023 02:12 AM

Hello @Caesrob,

This is the expected behavior. When we generate future-dated tasks based on rules, the tasks will be initially created on the same day.
However, Saviynt will not process these tasks until the 90-day window has elapsed, even if the provisioning jobs are executed before that time.

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
Caesrob
Regular Contributor
Regular Contributor
In response to sudeshjaiswal

‎06/19/2023 02:32 AM - edited ‎06/19/2023 02:43 AM

This is exactly the problem we are having though. When I execute these tasks by running a provisioning job, all tasks are executed including the remove account task. There is no 90 day delay on this.

We have also tried re-arranging these tasks so the deprovision account task in 90 days comes first and then the deprovision access task immediately. What this does is set the deprovision of access task on 90 days as well. the disable user account task stays immediate.

0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎06/19/2023 03:23 AM

Hello @Caesrob,

Did you try to put Both rules separately and try?

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
Caesrob
Regular Contributor
Regular Contributor
In response to sudeshjaiswal

‎06/19/2023 04:04 AM

Yes, this works. But we would like it to be 1 rule and not 2 seperate rules. we don't see how this could be an issue.

0 Kudos

Go to solution
saipraveengv
New Contributor III
New Contributor III
In response to Caesrob

‎06/19/2023 04:06 AM

I have configured the same (both in same rule) in my environment and it works pretty fine. I don't think that would be a issue. 

0 Kudos

Go to solution
saipraveengv
New Contributor III
New Contributor III

‎06/19/2023 04:04 AM

HI @Caesrob,

Can you run select taskdate,startdate from arstasks where taskkey in () and share the output for the both disable account and remove access tasks

0 Kudos

Go to solution
Caesrob
Regular Contributor
Regular Contributor
In response to saipraveengv

‎06/19/2023 04:12 AM

Sure, here is the output. Task 870 is the disable account task, tasks 871-875 are the access removal tasks, task 876 is the account remove task.

Caesrob_0-1687173061048.png

 

0 Kudos

Go to solution
saipraveengv
New Contributor III
New Contributor III

‎06/19/2023 04:16 AM - edited ‎06/19/2023 04:17 AM

Hi @Caesrob ,

Except task 870 all other tasks will be executed after 90 days. It is fine. What is the issue you are seeing. Tasks get processed based on the startdate. 

0 Kudos

Go to solution
Caesrob
Regular Contributor
Regular Contributor
In response to saipraveengv

‎06/19/2023 04:20 AM

That IS the issue... The remove access tasks should get executed immediately but the remove account task should be executed after 90 days.

0 Kudos

Go to solution
saipraveengv
New Contributor III
New Contributor III

‎06/19/2023 04:26 AM

Got it. This is a bug. Rule is taking both account and access as one and creating tasks. 

Workaround would be use two different rules

0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎06/20/2023 07:48 AM - edited ‎06/20/2023 07:49 AM

Hello @Caesrob ,

We are currently conducting internal checks, and for now, you may need to utilize two separate rules for your specific use case.

Thanks.

If you find the above response useful, Kindly Mark it as "Accept As Solution".

Go to solution
shibinvpkvr
Regular Contributor II
Regular Contributor II

‎06/21/2023 06:50 AM

@sudeshjaiswal I have a follow-up question on the Execute On use case. We have configured the rule to disable the account immediately and remove account after 30 days per requirement. However what if the user got rehired within 30 days, does that task need to be discontinued manually? 

0 Kudos

Go to solution
armaanzahir
Valued Contributor
Valued Contributor
In response to shibinvpkvr

‎06/21/2023 07:00 AM

Yes, the task would need to be manually discontinued in such a case. Better to have a separate trigger event that calls the rules for remove account as well on the 30th day.

Thanks

Regards,
Md Armaan Zahir

Go to solution
shibinvpkvr
Regular Contributor II
Regular Contributor II

‎06/21/2023 07:35 AM

yes thanks! thought so. I believe Actionable Analytics may be a good option to do this. 

0 Kudos
Copyright © 2024 Khoros, LLC