Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AD Connector - unable to reconcile account Locked State from lockoutTime attribute in AD

yogesh2
Regular Contributor
Regular Contributor

We have an attribute in AD called "lockoutTime". This attribute specifies the date and time (in UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.

So for normal unlocked accounts this is either 0 or not set (null), but for locked accounts this can be any non zero integer value like: 133602375031301335 (this is not fixed)

How can we reconcile this value to saviynt?

Currently we have defined STATUS_THRESHOLD_CONFIG like this but this doesnt work as Saviynt considers default status as "unlocked":

 

 

{
    "statusAndThresholdConfig": {
        "statusColumn": "customproperty32",
        "activeStatus": [
            "512",
            "544",
            "66048"
        ],
        "inactiveStatus": [
            "546",
            "514",
            "66050"
        ],
        "deleteLinks": false,
        "accountThresholdValue": 1000,
        "correlateInactiveAccounts": true,
        "inactivateAccountsNotInFile": false,
        "lockedStatusColumn": "customproperty56",
		"lockedStatusMapping":
		{
			"Unlocked": ["0"]
		}
    }
}

 

(customproperty 56 in above example is mapped to lockoutTime attribute in AD)

So we need to have a condition such that any value greater than 0 or other than 0 should be considered locked. But the configuration in connector only allows to specify a set of values to consider as locked, which is basically infinite. How can we add such a condition for the locked status like this? I am unable to find such use case in the documentation.

 

 

"Locked":[">0"] // or something like this

 

 

11 REPLIES 11

Dhruv_S
Saviynt Employee
Saviynt Employee

@yogesh2 

Have you tried to use the sample provided in the JSON which is like below. 

{
  "statusAndThresholdConfig": {
    "statusColumn": "customproperty17",
    "activeStatus": [
      "512",
      "544",
      "66048"
    ],
    "inactiveStatus": [
      "546",
      "514",
      "66050"
    ],
    "deleteLinks": false,
    "accountThresholdValue": 50,
    "correlateInactiveAccounts": true,
    "inactivateAccountsNotInFile": false,
    "lockedStatusColumn": "customproperty17",
    "lockedStatusMapping": {
      "Locked": [
        "1"
      ],
      "Unlocked": [
        "0"
      ]
    }
  }
}

 I can see the similar format used by others as well like in the below link. 

Solved: "ACCOUNT_TERMINATION_ACTION" missing in LDAP/AD co... - Saviynt Forums - 90186

Regards,

Dhruv Sharma

yogesh2
Regular Contributor
Regular Contributor

We have tried, it is not working for us as a locked account doesn't always have "1" in the lockoutTime attribute.

For the post you have linked, maybe they were not concerned with the lock status and were using the standard JSON from the documentation. Even their question is for a different issue. 

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @yogesh2 

In the above JSON, have you mapped the attribute customproperty17 to the lockedstatus attribute from AD ? Please do the same and use the JSON like below.  Please confirm if the status and lockoutime is getting reconciled.

Sample1

"lockedStatusColumn": "customproperty17",
"lockedStatusMapping": {
"Locked": [
"1"
],
"Unlocked": [
"0"
]
}

 

Sample2

"lockedStatusColumn": "customproperty17",
"lockedStatusMapping": {
"Unlocked": [
"0"
]
}

yogesh2
Regular Contributor
Regular Contributor

I am reconciling the lockoutTime attribute in accounts.customproperty56 and locked status column is mapped to customproperty56 as well:

//ACCOUNT_ATTRIBUTE mapping
customproperty56::lockoutTime#number,
//status_config_json
        "lockedStatusColumn": "customproperty56",
		"lockedStatusMapping":
		{
			"Locked":["1"],
			"Unlocked": ["0"]
		}

 and it is getting reconciled into Saviynt  but locked status is always 2 for all accounts i.e. unlocked:

yogesh2_0-1716355633711.png
The third account should be locked as CP56>0 but is not locked.

 

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @yogesh2 

Thank you for the quick response. So, the issue is related locked/unlocked status now. Please try with the below JSON. Keeping only unlocked status.

"lockedStatusMapping":
		{
			
			"Unlocked": ["0"]
		}

yogesh2
Regular Contributor
Regular Contributor

Unfortunately, I have already tried this, see the JSON of my original post.

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @yogesh2 

Please try the below. 

Use preprocessor to store the value of another customproperty (example cp17) as 1 or 0 based on if/else condition if the cp56 is 0 then cp17 will be 0 if cp56>0 then cp17 will be 1

Then use cp17 in lockedStatusColumn

Regards,

Dhruv Sharma

yogesh2
Regular Contributor
Regular Contributor

Does preprocessor work for accounts' customproperties? We are not importing users here.

Dhruv_S
Saviynt Employee
Saviynt Employee

No preprocessor won't work in this case then.

Use enhanced query


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

yogesh2
Regular Contributor
Regular Contributor

Solved this using enhanced query job:

SELECT
	A.ACCOUNTKEY AS ACCOUNTS__PRIMARYKEY,
	1 AS ACCOUNTS__LOCKEDSTATE
FROM
	ACCOUNTS A
	LEFT JOIN ENDPOINTS E ON E.ENDPOINTKEY = A.ENDPOINTKEY
WHERE
	E.ENDPOINTNAME = 'ACTIVE DIRECTORY'
	AND A.STATUS != 'SUSPENDED FROM IMPORT SERVICE'
	AND A.CUSTOMPROPERTY56 > 0