Skip to Content
author's profile photo Former Member
Former Member

ARQ: Need correct understanding of "Account Validation Check" option

Hi All,

I am bit confused with "Account Validation Check" in Maintain Global Provisioning Configuration.

I have run several tests with multiple options. After running these tests, my understanding is that, it is helpful in case if user is selection "RETAIN" or "REMOVE" provisioning action for non-existing user.

Setting: "Account Validation Check" and "For Assign Role Action" are checked

If I select "REMOVE" OR "RETAIN" provisioning action for any user who is not existing in back end system, then it gives me error:

User XYZ does not exist in system ABC

This makes sense.

But my understanding is disturbed when I try to submit a request for new user with only one role with "ASSIGN" provisioning action. This role by itself clean.

But after submitting the request, I get below message:

"Account validation is ignored for system ABC due to conflicting actions"

When I am sure that role does not have any conflicting actions and that user is not there in back end system to cause any violations with "existing" roles/action, I am not sure why I am getting this message!

Can anybody help me understand this better?

I am quite sure about application's behavior if I use "Account Validation Check" option. But this message:

"Account validation is ignored for system ABC due to conflicting actions"

simply troubling me!

Please advise.

Regards,

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    Posted on Jun 10, 2014 at 06:42 AM

    Hi Faisal,

    when you submit a request the application can validate the user account and provide a warning or error message before the user proceeds with the request:

    • For request type New, a warning or error message is provided if the account already exists.
    • For request types Change, Delete, Lock, Unlock, a warning or error message is provided if the account does not exist.


    Basically the application performs two checks:

    • If the target connector is working properly
    • If the user exists in the target system. E.g. if the user exists in the target system, the application does not create a request for user creation as mentioned above.

    Hope this helps to understand.

    Regards

    Alessandro

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Alessandro Banzer

      Dear Alessandro,

      Thanks for your reply.

      Okay, so I need to add "Create User" and "Change User" for request types: "New Account" and "Change Account" respectively.

      I have done the same and it working as per note's expectation.

      One new Discovery!

      I selected "New Account" request type and then in "Add" button, I could see "Roles" and "System". There are several possibilities here:

      1. A user may not add system and simply add role - This is controlled by "Account Validation Check".

      Gives error in this scenario (User XYZ does not exist in the system..)

      2. A User may not add role but add system only - This is controlled by the error message at the time of

      request submission (At least select one role....)

      3. A user may add both a system and a role. But provisioning actions for role are: ASSIGN, REMOVE and RETAIN. By default, it is ASSIGN. If a user (negative) selects "REMOVE" for any role (For system line item, this is only "CREATE" which is good) and submits the request, application does not object on this and it let request get submitted. Ideally/logically, it should only show "ASSIGN" provisioning action for new account request type.

      At the completion of request workflow, what happens is that, user id gets created and user receives email notification with his new initial password. But role is not assigned (Because, "REMOVE" action was selected). Do we have any control for this? I mean can I only display "ASSIGN" provisioning action for "New Account" request type?

      Same goes with "CHANGE ACCOUNT" request type.

      Can you Please advise?

      Regards,

      Faisal

  • author's profile photo Former Member
    Former Member
    Posted on Jun 10, 2014 at 07:59 AM

    HI Faisal,

    You will get "Account Validation check is ignored for conflicting actions" when you check either of the box "Assign Role Action" or "Create User" in Provisioning settings. If these options are checked then the account validation does not takes place and it throws a pop up that account validation was ignored.

    So uncheck both the option and check the Account Validation option. Also you need to select the system line item in order to validate whether the user is exsiting in the backend or not at the time of submitting the request.

    Regards,

    Neeraj

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Faisal,

      Suppose you have different workflows for New and Change account and you don't want a new user to submit a request with change account type then you can restrict him by using this settings.

      In 5.3 there was no system line item and the application was validating fine against role line items

      But in 10 if you do not select the system line item then the validation does not take place.

      Hope you got some idea now.

      Regards,

      Neeraj

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.