Saviynt Forums

Hi Adam,

Greetings!!

Please find my answers inline.

We are running into an issue in our environment with importing AD groupImportMapping. The issue seems to be due to groups populated with users that our connection cannot see.

Saviynt is a Governance tool, where we bring entire information of a Group which includes its attribute changes and association. We do not provide any filter to bring selective/filtered data within association information.

We are importing users from our Users OU. We have other OU's for service accounts and some higher privilege accounts. Some of these groups may have users from these OU's in them and are causing issues on import. Is there any way to filter out group membership that is brought back by OU? I'm not sure what field in our AD connector would need to get updated to perform this kind of action.

To fulfil this requirement, you may perform below operations, but with limited Advantage:

1) Mark "performGroupAccountLinking" and "importGroupHierarchy" to false in groupImportMapping. This will allow you to bring only groups information (without member and memberOf) as a part of Full and Incremental Access import.

2) Allow Full Account import to bring groups associated to an account, which is within scope of your filter (SearchFilter and ObjectFilter).

3) Any group membership change (addition/removal) to an account, can be imported by Full Account Import only and not by Incremental Accounts import.

4) Account specific attribute changes other than memberOf, can be brought via Incremental Accounts import.

5) There could be scenarios where you could find entitlements available out of search scope of groupBaseDN, In such cases, if you do not want to perform any operation on those group, you could control those feature using " Config for Requestable Entitlement in ARS " available at entitlementType level for an endpoint.

Thanks & Regards,

Anand Kumar Jha