In a terminate employee scenario, my client wants Saviynt to disabled the AD account, move to a disabled OU and deleteAllGroups in AD.
In case the user is rehired a few days later, my client wants Saviynt to enable the AD account and re-provision all of the AD groups that the user had before they were terminated.
How do I configure the Saviynt so that it retains all of the AD groups that a user is a member of, and yet it still deletes all AD group while disabling the AD account?
When I had the following configuration settings, all AD groups (AD account - entitlement links) were deleted in both Saviynt and AD, during termination:
1. In the User Update Rule, action included deprovision access <endpoint> access only
2. In AD's disableAccountJSON, set deleteAllGroups = "Yes"
There is no way to achieve the above use case, Saviynt will either do 2 things.
it will remove the groups from user or you can keep them as it is even after disabling the account. You can setup a rule in user update rule after enabling run specific technical rule and give basic access but exact access of users cant be provided, saviynt doesn't store that groups anywhere once it disables.
@yusufw Also please try using
Active Directory uses the reuse account functionality to retain the suspended user accounts. When a user leaves an organization, the user’s account is suspended and moved to a different organization unit (OU) and kept in the OU for 30 to 90 days in the disabled state. If the user rejoins within this time, the account is reused.
While creating an account if you want to reuse an inactive account, specify True in the Reuse existing inactive accounts during rehire parameter.
To define the attributes to use while reusing an account, expand Reuse Account Policy in the Setup Account Provisioning configuration section and specify values for the following parameter:
Destination container for moving reused accounts: Specify the organization unit (OU) to move a reused account.
But still as @Darshanjain mentioned, Saviynt doesn't store that groups anywhere once it disables.
IMO, there should be no mechanism which grants a rehired user all the accesses i.e. birthright and requested access. The reason being the requested accesses could be privileged access and would have gone through an approval process before being granted to the user. Hence as far as feasible the solution to grant birthright access is supported by Saviynt OOB using the technical rules.
In worst case if there is a hard requirement to provision the requested access as well then I see using the Actionable Analytics functionality as an option. As part of the provisioning process if its done via Saviynt there is always a repository of audit data which Saviynt will maintain. The requirement will be to tap into this audit data get the required information and execute the 'Provision access' actionable analytics on a scheduled basis to target the users rehired in a pre-defined time threshold.