Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Users not in feed option on UserImportJob

nmuzinic
New Contributor III
New Contributor III

Hi all,

I'm having similar issues as described in this post . I'm using user import via a connection job to import users to Saviynt from AAD, this is the setup of the job:

nmuzinic_0-1690542409219.pngnmuzinic_1-1690542424175.png

Connection being used in the job is REST, GRAPH API is used to fetch users to create in Saviynt, accounts are imported via another connection. I would like to change the status of the user in Saviynt from active to inactive when user is no longer present in the feed e.g. user is deleted on AAD. Currently when a user is deleted from AAD only change that happens is that account status is changed to Suspended from import service (as I've mentioned accounts are imported via another job) and name of the account is changed to username-deleted on..

I've set Users not in feed action on the job to In-Activate and set the User terminate limit to 100 users, I've also tried to set the status config to { STATUS_ACTIVE: [true, active], STATUS_INACTIVE: [false, inactive]} but job then runs for few seconds and nothing is imported, in the logs (attached) I can see 401 error. When I remove status config import job works as expected. I've read about STATUS_THRESHOLD_CONFIG but I'm not sure if it only applies to accounts or this setting is mandatory for any connection where I want to use Users not in feed action and if yes how should it be setup since all the JSON examples reference to accounts?

 

3 REPLIES 3

sai_sp
Saviynt Employee
Saviynt Employee

Can you check if the number of users to be inactivated is higher than the threshold? In that case, none of the users will be inactivated.

nmuzinic
New Contributor III
New Contributor III

Hi, 

There are maybe max. 10 users that need to be inactivated (that I've deleted or disabled on AAD), so the threshold is not exceeded. 

nmuzinic
New Contributor III
New Contributor III

I've figured out this much so far, I went through other posts regarding this matter which resulted in  finding out about User Termination from Imports setting in Global config.

First I've set it to Enabled  and users were terminated in Saviynt (status changed to Inactive for users and accounts) when I executed the job but the issue with this is that Remove Account tasks are also created (in my case AAD account and Sav4Sav accounts), which I do not want as no account should be deleted from AAD.

Then I've changed this setting to Disabled, so if a user is disabled on AAD this will disable the account and the user in Saviynt. The last piece of the puzzle that I'm missing is how to revoke access for such users, users are assigned Enterprise roles and I've tried creating user update rule to Deprovision Role which is actually triggered when users status is changed to Inactive:

nmuzinic_0-1690912483224.png

But no tasks are created for removing access.