Saviynt Forums

Sampo · ‎09/21/2023

We are using Enhanced Application Catalog and we've noticed that after onboarding new users the DefaultEndpointSyncTrigger job needs to be run before access can be requested for these new joiners (except for endpoints where access query is not defined at all).

We can schedule DefaultEndpointSyncTrigger to be run after each user import. job, but have a couple of concerns here:

1) We've noticed that while the DefaultEndpointSyncTrigger is running, access cannot be requested for any user? While DefaultEndpointSyncTrigger is running, only applications without access query are visible in application list. Is this expected behaviour from Saviynt or have we configured something wrong?

2) Running DefaultEndpointSyncTrigger takes currently about 30 seconds. However, we're planning to onboard lots of more users and applications in the future. Will this increase the running time of the job or should it remain the same?

sai_sp · ‎09/25/2023

DefaultEndpointSyncTrigger is going to be deprecated for ARS and this is only going to be used for a few connectors. Can you please check and let us know if the changes are reflected without running the job or not? Which version are you on?

Sampo · ‎09/27/2023

Hi @sai_sp , changes to users are not reflected in ARS without running DefaultEndpointSyncTrigger. Changes to endpoints can be seen in ARS DefaultEndpointDeltaSyncTrigger. We are running Saviynt version 23.5

Do you have more information about when will DefaultEndpointSyncTrigger be deprecated and how it will be replaced?

best regards,

Sampo

sai_sp · ‎09/27/2023

@Sampo whatever changes you make will automatically reflect in ARS. Can you please elaborate on what you mean by changes to users?

Sampo · ‎09/27/2023

Hi @sai_sp, we have enabled global config option Request -> Enable enhanced application catalog based searches.

When we have an endpoint 'MyApp' with an access query, for example:

where users.userkey in (select distinct u.userkey from users u inner join user_accounts ua on ua.userkey = u.userkey inner join accounts a on a.accountkey = ua.accountkey inner join endpoints e on e.endpointkey = a.endpointkey where e.endpointname = 'MyOtherApp' and a.status in (1,'Manually Provisioned'))

and an account to 'MyOtherApp' is provisioned to a user, the 'MyApp' endpoint will only be visible in ARS application catalog after DefaultEndpointSyncTrigger has been run.

Saviynt documentation mentions that DefaultEndpointSyncTrigger does a full sync of user-to-endpoint mappings to application catalog: https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter13-Access-Requests/Understan...

"DefaultEndpointSyncTrigger

This job trigger is used for performing the full synchronization for the endpoints, entitlements, and user-to-endpoint mappings to the catalog. The endpoint full sync job is configured to run twice a day to ensure that the data is available in real-time. You can change the frequency to run the job more often when there are too many users onboarding to the system in various ways."

sai_sp · ‎10/03/2023

Hi @Sampo I just got a confirmation that this job still needs to be used for your usecase. One way for you to address this requirement is by using mapped endpoint feature.

please refer to the documentation here: https://docs.saviyntcloud.com/bundle/EIC-Admin-v2020x/page/Content/Chapter02-Identity-Repository/Vie...

please check if this can help you achieve your requirement.

Saviynt Forums

Users cannot request access while DefaultEndpointSyncTrigger is running