We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.
No ratings
DixshantValecha
Saviynt Employee
Saviynt Employee

Use Case

In the User Manager campaign, the Employment Verification step certifies the employment status of an employee based on the following criteria:

  • Works For Me

  • Does Not Work For Me

  • Terminate

If a certifier terminates the user and clicks Finish Access Review, the following actions are performed in the system:

  • The Update Users Table for Does not Work For Me action configuration immediately updates the status of the user.

  • The Create Revoke tasks option immediately creates revoke tasks for all the accesses and accounts of all the endpoints irrespective of the termination logic implemented through rules.

Pre-requisites

SavRole:-RoleAdmin

Solution

To prevent triggering of unnecessary actions, perform the following steps:

  1. In Step 1 of the User Manager campaign, launch the campaign with the following configurations for the termination scenario:

  • Allow User Termination in Show Employment Status options

  • Deselect Update Users Table for Does Not Work for Me and Create Revoke Tasks for Terminated Users, Revoked/Conditional Certified Accounts and Entitlements on Locking

These configurations:

  • Prevent immediate updates to the users table.

  • Stop creating revoke tasks for all the accesses and accounts of all the endpoints associated with the user.

2. Perform the following actions:

  1. Identify all User Manager campaigns that are not in Cancelled or Discontinued status, but in Active status or moved to Completed or Expired in the last two days.

Two days has been set to prevent the issue arising from different time zones.

2. In the campaigns identified in Step 1, identify certifications with the Fully Executed status and a Terminated Response from the certifiers.

3. Update the following attributes only for the terminated users:

  • Username

  • Comments

  • Termdate

  • Statuskey

  • CP28 (Set it as the campaign name)

The Customproperty28 acts as a flag for preventing the update of the same user. Set it to null (or) CP28 != CampaignName.

4. Run the Database Import job every four hours.

<dataMapping>
    <before-import>
    </before-import>
    <sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
 <![CDATA[
SELECT
    cu.USERNAME AS 'username',
    concat_ws("#####","User terminated through Certification ",c.certkey,c.cert_name,now()) as comments,
    now() as termdate,
    0 as statusKey,
    cm.campaign_name as customproperty28
FROM
    certification c,
    campaign cm,
    users u,
    certification_user_status us,
    certification_user cu
WHERE
        c.CAMPAIGNKEY = cm.id
        AND cu.CERT_USERKEY=us.CERT_USERKEY
        AND c.certkey = us.certkey
        AND u.USERKEY = cu.USERKEY
        AND u.statuskey = 1                                                                    /* User is active */
        AND cm.campaign_type=2                                                         /* UM campaign */
        AND cm.status NOT in (3,6)                                              /* Campaign Should not be cancelled or discontinued    */
        AND (cm.status in (5)                                                       /* Campaign active */
             or (cm.status in (2,7) and cm.last_updated > now() - Interval 48 hour)      /* Campaign completed or expired in last 2 hours */
             )
        AND c.STATUS in (10)                                /* Cert status in Locked-3, Expired-4, task created-8, Fully Execut-10 */
        AND us.certified in (4)                                /* Terminated-(4), No Response-(1,null), Does not work for me - (3) */
        AND (u.customproperty28!=cm.campaign_name
            or u.customproperty28 is null);            /* Flag is null or Flag != CampaignName*/
]]>
</sql-query>
<importsettings>
                <zeroDayProvisioning>false</zeroDayProvisioning>
                <userNotInFileAction>NOACTION</userNotInFileAction>
                <checkRules>true</checkRules>
                <buildUserMap>false</buildUserMap>
</importsettings>

    <mapper description="This is the mapping field for Saviynt Field name" defaultrole="" dateformat="date">
         <mapfield saviyntproperty="username" sourceproperty="username" type="character"/>
         <mapfield saviyntproperty="comments" sourceproperty="comments" type="character"/>
         <mapfield saviyntproperty="termdate" sourceproperty="termdate" type="date"/>
         <mapfield saviyntproperty="statuskey" sourceproperty="statuskey" type="number"/>
         <mapfield saviyntproperty="customproperty28" sourceproperty="customproperty28" type="character"/>
    </mapper>
    <after-import description="EMAIL,BATCH,SQL">
    </after-import>
</dataMapping>

 

Version history
Last update:
‎04/11/2023 06:58 AM
Updated by: