Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

How to resolve De-provisioning task failure for AD child endpoint

Rishi
Saviynt Employee
Saviynt Employee

on ‎08/29/2023 12:41 PM

Use Case

In AD connection we have an option to create child endpoints based on groups by mentioning the mapping in Endpoint Filters. However these child endpoints do not have any practical existence in target and are just a representation on Saviynt UI

Failure scenario - During one click disable, Saviynt will create deprovisioning tasks for parent AD account and entitlements along with separate task for child account and entitlement removal. The account name and the entitlement name in child account will be same to the account name and at least one of the entitlements in parent. On running the provisioning job, firstly account removal for parent endpoint AD gets executed and it Suspends the account. Now when second removal task for child tries to execute, it fails to find one active account in target with that name, as in target it is again only one account which already got removed just now. Hence it errors out and child task never gets completed.
 
Following error is observed in the logs
2021-01-18 09:32:41,363 [quartzScheduler_Worker-8] DEBUG ldap.SaviyntGroovyLdapService - Number of Distinct Ent Types for this User = 0
2021-01-18 09:32:41,363 [quartzScheduler_Worker-8] DEBUG ldap.SaviyntGroovyLdapService - Number Distinct Ent Values for this User = 0
2021-01-18 09:32:41,363 [quartzScheduler_Worker-8] ERROR ldap.SaviyntGroovyLdapService - Error Deleting/Disablng the Account from AD - Cannot invoke method contains() on null object

Pre-requisites

User needs to have account in both parent endpoint AD and child endpoint

Applicable Version(s)

All

Solution

To overcome this situation, the following configuration should be updated at endpoint level for individual child endpoints.
Rishi_0-1693337987276.png

By default the value in the highlighted field will be blank, we need to add Child Account to that field.

Now during one click disable, deprovision tasks will be created only for parent account and entitlement. On next recon we will observe that both child and parent accounts will be marked as In-active.


References

https://docs.saviyntcloud.com/bundle/EIC-Admin-v23x/page/Content/Chapter04-Application-Management-an...

Labels:
0 Kudos
Version history
Last update:
‎08/29/2023 12:41 PM
Updated by:
Saviynt Employee
Contributors
Copyright © 2024 Khoros, LLC