Hi everyone,
I have implemented a workflow to remove all standing access for inactive users. However, I am encountering an issue where the entitlements are not being removed. Upon checking the Campaign Reports, I found the following comment:
“The account was deleted or changed before the campaign was completed.”
Does anyone know the root cause of this issue?
Thank you for your help
@Soundary can you give more info like what action you are using to remove entitlement?
Thanks
Shantanu
Hi Shantanu,
Here is the Json of the workflow I have implemented.
workflows_new.json (5.2 KB)
Hi @Soundary , Seems the account for which access revocation is being done doesn’t exists in source. Can you have if the account exists in source and does have the access?
Hi Theja,
It exists but is disabled
Hi @Soundary,
Are you facing the issue with all the accounts or specific accounts.?
If this is happening with AD accounts, there can be cases where the account is moved to another OU (which modifies the DN/account ID) as part of the disable process and the certification is kicked off before an aggregation is processed or the account is manually modified after the certification campaign is created.
Hi Jesvin,
We see this issue only with people who have AD accounts. I see the AD related entitlements are not removed.
I guess once the user is inactive we have a rule to disable the Ad of the user and move it to a disabled OU may be all of this is happening at the same time. So I am guessing its causing this issue
Is there any way to tackle this issue?
Hi @Soundary,
Check if running an aggregation before the certification creation fixes the issue. If yes, you can consider performing the aggregation before the campaign creation.
Else, consider performing the account disable activity through the workflow itself after the campaign completion.
You can add a wait in the Workflow until the leaver cycle gets completed and before cert creation. For example, if you schedule hourly AD aggregations, add wait in Workflow for 1 hour to complete next AD aggregation. This will make sure that you have an updated AD account in ISC though the mover process will automatically refresh identity during OU movement.
Since it is an AD source, keep it in mind the “Domain Users” entitlement cannot be revoked and it may errored out in ISC.
Hi Suresh,
Thank you for your response. But our aggregation is scheduled for every 4 hours. So,adding a 4 hour wait time is not going to break anything right?
Hi jesvin,
The workflows gets triggered as soon as the identity gets inactive, so I guess we i need to monitor to check if that can work
Yes, it will not break anything, meanwhile you need to consider that whether 4hours is good for your business to wait.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.