on 06-10-2014 6:07 AM
Hi All,
I am bit confused with "Account Validation Check" in Maintain Global Provisioning Configuration.
I have run several tests with multiple options. After running these tests, my understanding is that, it is helpful in case if user is selection "RETAIN" or "REMOVE" provisioning action for non-existing user.
Setting: "Account Validation Check" and "For Assign Role Action" are checked
If I select "REMOVE" OR "RETAIN" provisioning action for any user who is not existing in back end system, then it gives me error:
User XYZ does not exist in system ABC
This makes sense.
But my understanding is disturbed when I try to submit a request for new user with only one role with "ASSIGN" provisioning action. This role by itself clean.
But after submitting the request, I get below message:
"Account validation is ignored for system ABC due to conflicting actions"
When I am sure that role does not have any conflicting actions and that user is not there in back end system to cause any violations with "existing" roles/action, I am not sure why I am getting this message!
Can anybody help me understand this better?
I am quite sure about application's behavior if I use "Account Validation Check" option. But this message:
"Account validation is ignored for system ABC due to conflicting actions"
simply troubling me!
Please advise.
Regards,
Hi Faisal,
when you submit a request the application can validate the user account and provide a warning or error message before the user proceeds with the request:
Basically the application performs two checks:
Hope this helps to understand.
Regards
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Alessandro,
Thanks for your reply.
- For request type New, a warning or error message is provided if the account already exists.
This I have checked. I have raised a request for my user id which is already available in the back end system. But it simply accepted this request and workflow is triggered!
What i was expecting that, as you said, it should check if already user exists. If it exists, then throw an error or warning based upon the configuration.
But the application is duly validating a user existence in back end system in case of RETAIN or REMOVE actions. If user does not exist, it gives error message (which is my current configuration)
But for new account, I dont know why it is not giving this error!
Secondly, the message "Account Validation is ignored for system ABC due to conflicting actions" is misleading!
Anybody who sees this message gets the understanding that "Account Validation" id not done because there are conflicts in the role(s). As I mentioned before, I simply selected a "CLEAN" role which does not have any violations!
FYI...
I am using "ASSIGN OBJECTS" action ONLY for New account and change account request types
CAn you advise please?
Regards,
Faisal
Dear Alessandro,
Thanks for your reply.
Okay, so I need to add "Create User" and "Change User" for request types: "New Account" and "Change Account" respectively.
I have done the same and it working as per note's expectation.
One new Discovery!
I selected "New Account" request type and then in "Add" button, I could see "Roles" and "System". There are several possibilities here:
1. A user may not add system and simply add role - This is controlled by "Account Validation Check".
Gives error in this scenario (User XYZ does not exist in the system..)
2. A User may not add role but add system only - This is controlled by the error message at the time of
request submission (At least select one role....)
3. A user may add both a system and a role. But provisioning actions for role are: ASSIGN, REMOVE and RETAIN. By default, it is ASSIGN. If a user (negative) selects "REMOVE" for any role (For system line item, this is only "CREATE" which is good) and submits the request, application does not object on this and it let request get submitted. Ideally/logically, it should only show "ASSIGN" provisioning action for new account request type.
At the completion of request workflow, what happens is that, user id gets created and user receives email notification with his new initial password. But role is not assigned (Because, "REMOVE" action was selected). Do we have any control for this? I mean can I only display "ASSIGN" provisioning action for "New Account" request type?
Same goes with "CHANGE ACCOUNT" request type.
Can you Please advise?
Regards,
Faisal
HI Faisal,
You will get "Account Validation check is ignored for conflicting actions" when you check either of the box "Assign Role Action" or "Create User" in Provisioning settings. If these options are checked then the account validation does not takes place and it throws a pop up that account validation was ignored.
So uncheck both the option and check the Account Validation option. Also you need to select the system line item in order to validate whether the user is exsiting in the backend or not at the time of submitting the request.
Regards,
Neeraj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Neeraj,
Thanks for your reply.
You will get "Account Validation check is ignored for conflicting actions" when you check either of the box "Assign Role Action" or "Create User" in Provisioning settings. If these options are checked then the account validation does not takes place and it throws a pop up that account validation was ignored.
I am confused with this logic of application! I sincerely request you to kindly share the logic behind keeping this feature like this, if possible. I really do not see any value added feature!
I would like to know the "real" purpose of this.
Yes, we can add a line item for system. But I did not want select system separately as selecting a role would implicitly create the user in that respective system to which role belongs.
Therefore, I went ahead with "Assign Object" request action. But seems that it is creating lot of confusion!
Please help me understand this.
Regards,
Faisal
Hi Faisal,
Suppose you have different workflows for New and Change account and you don't want a new user to submit a request with change account type then you can restrict him by using this settings.
In 5.3 there was no system line item and the application was validating fine against role line items
But in 10 if you do not select the system line item then the validation does not take place.
Hope you got some idea now.
Regards,
Neeraj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.