cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ARQ: Need correct understanding of "Account Validation Check" option

Go to solution
former_member184114
Active Contributor

on ‎06-10-2014 6:07 AM

0 Kudos

Hi All,

I am bit confused with "Account Validation Check" in Maintain Global Provisioning Configuration.

I have run several tests with multiple options. After running these tests, my understanding is that, it is helpful in case if user is selection "RETAIN" or "REMOVE" provisioning action for non-existing user.

Setting: "Account Validation Check" and "For Assign Role Action" are checked

If I select "REMOVE" OR "RETAIN" provisioning action for any user who is not existing in back end system, then it gives me error:

User XYZ does not exist in system ABC

This makes sense.

But my understanding is disturbed when I try to submit a request for new user with only one role with "ASSIGN" provisioning action. This role by itself clean.

But after submitting the request, I get below message:

"Account validation  is ignored for system ABC due to conflicting actions"

When I am sure that role does not have any conflicting actions and that user is not there in back end system to cause any violations with "existing" roles/action, I am not sure why I am getting this message!

Can anybody help me understand this better?

I am quite sure about application's behavior if I use "Account Validation Check" option. But this message:

"Account validation  is ignored for system ABC due to conflicting actions"

simply troubling me!

Please advise.

Regards,

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎06-10-2014 7:42 AM
0 Kudos

Hi Faisal,

when you submit a request the application can validate the user account and provide a warning or error message before the user proceeds with the request:

  • For request type New, a warning or error message is provided if the account already exists.
  • For request types Change, Delete, Lock, Unlock, a warning or error message is provided if the account does not exist.


Basically the application performs two checks:

  • If the target connector is working properly
  • If the user exists in the target system. E.g. if the user exists in the target system, the application does not create a request for user creation as mentioned above.

Hope this helps to understand.

Regards

Alessandro

Show replies
Show replies
former_member184114
Active Contributor
‎06-10-2014 8:09 AM
0 Kudos

Dear Alessandro,

Thanks for your reply.





    

  • For request type New, a warning or error message is provided if the account already exists.
    •

This I have checked. I have raised a request for my user id which is already available in the back end system. But it simply accepted this request and workflow is triggered!

What i was expecting that, as you said, it should check if already user exists. If it exists, then throw an error or warning based upon the configuration.

But the application is duly validating a user existence in back end system in case of RETAIN or REMOVE actions. If user does not exist, it gives error message (which is my current configuration)

But for new account, I dont know why it is not giving this error!

Secondly, the message "Account Validation is ignored for system ABC due to conflicting actions" is misleading!

Anybody who sees this message gets the understanding that "Account Validation" id not done because there are conflicts in the role(s). As I mentioned before, I simply selected a "CLEAN" role which does not have any violations!

FYI...

I am using "ASSIGN OBJECTS" action ONLY for New account and change account request types

CAn you advise please?

Regards,

Faisal

alessandr0
Active Contributor
‎06-10-2014 8:22 AM
0 Kudos

Hi Faisal,

okay - I see. It will be realized later but not restricting you from submitting the request.

Can you check note 2003093. I assume this is what you are looking for.

Regards,

Alessandro

former_member184114
Active Contributor
‎06-10-2014 4:28 PM
0 Kudos

Dear Alessandro,

Thanks for your reply.

Okay, so I need to add "Create User" and "Change User" for request types: "New Account" and "Change Account" respectively.

I have done the same and it working as per note's expectation.

One new Discovery!

I selected "New Account" request type and then in "Add" button, I could see "Roles" and "System". There are several possibilities here:

1. A user may not add system and simply add role - This is controlled by "Account Validation Check".

    Gives error in this scenario (User XYZ does not exist in the system..)

2. A User may not add role but add system only - This is controlled by the error message at the time of

   request submission (At least select one role....)

3. A user may add both a system and a role. But provisioning actions for role are: ASSIGN, REMOVE and RETAIN. By default, it is ASSIGN. If a user (negative) selects "REMOVE" for any role (For system line item, this is only "CREATE" which is good) and submits the request, application does not object on this and it let request get submitted. Ideally/logically, it should only show "ASSIGN" provisioning action for new account request type.

At the completion of request workflow, what happens is that, user id gets created and user receives email notification with his new initial password. But role is not assigned (Because, "REMOVE" action was selected). Do we  have any control for this? I mean can I only display "ASSIGN" provisioning action for "New Account" request type?

Same goes with "CHANGE ACCOUNT" request type.

Can you Please advise?

Regards,

Faisal

Answers (1)

Answers (1)

former_member204204
Active Participant
‎06-10-2014 8:59 AM
0 Kudos

HI Faisal,

You will get "Account Validation check is ignored for conflicting actions" when you check either of the box "Assign Role Action" or "Create User" in Provisioning settings. If these options are checked then the account validation does not takes place and it throws a pop up that account validation was ignored.

So uncheck both the option and check the Account Validation option. Also you need to select the system line item in order to validate whether the user is exsiting in the backend or not at the time of submitting the request.

Regards,

Neeraj

Show replies
Show replies
former_member184114
Active Contributor
‎06-10-2014 5:12 PM
0 Kudos

Hi Neeraj,

Thanks for your reply.





You will get "Account Validation check is ignored for conflicting actions" when you check either of the box "Assign Role Action" or "Create User" in Provisioning settings. If these options are checked then the account validation does not takes place and it throws a pop up that account validation was ignored.

I am confused with this logic of application! I sincerely request you to kindly share the logic behind keeping this feature like this, if possible. I really do not see any value added feature!

I would like to know the "real" purpose of this.

Yes, we can add a line item for system. But I did not want select system separately as selecting a role would implicitly create the user in that respective system to which role belongs.

Therefore, I went ahead with "Assign Object" request action. But seems that it is creating lot of confusion!

Please help me understand this.

Regards,

Faisal

former_member204204
Active Participant
‎06-10-2014 6:44 PM
0 Kudos

Hi Faisal,

Suppose you have different workflows for New and Change account and you don't want a new user to submit a request with change account type then you can restrict him by using this settings.

In 5.3 there was no system line item and the application was validating fine against role line items

But in 10 if you do not select the system line item then the validation does not take place.

Hope you got some idea now.

Regards,

Neeraj

Ask a Question