Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

DB Connector - XML schema for Entitlement and Account import JSON

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 17 2020 at 14:40 UTC

Hello,

Is there any place where we could get the exact XML Schema for Entitlement and Accounts import JSON in the DB connector?

I am particularly looking for all the available attributes of the <mapper> element, their possible values and what they actually do.

For example, for accounts:

  • accountnotinfileaction: noaction/suspend / (other value?) - define what is done if the account is not found in the new import
  • deleteaccountentitlement: true/false - If true, delete the account-entitlements associations before to load the new values
  • ifusernotexists: noaction / (other value?)

The documentation is unfortunately not helpful here 😞

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
7 REPLIES 7

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 17 2020 at 20:29 UTC

Thanks for posting this! I am working through this configuration right now and also have the same questions.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 18 2020 at 06:53 UTC

Hi Fabrice,


  • accountnotinfileaction: noaction/suspend - this configuration is to mark accounts as inactive they are not found in the import. This does not apply to first import as all the accounts are new for the system. In the subsequent imports if an account is not found then :
    • No Action - will do nothing with the account status
    • Suspend - will mark the account status as 'Suspended for Import Service'
  • deleteaccountentitlement: true/false
    • True - This will delete all the account entitlement associations and whatever comes in the load is kept in the system.
    • False - This will append the new ones and not remove the ones which were not part of the load.
  • ifusernotexists: noaction / create - This action is to create a user (identity) in the system if it does not exist. On an endpoint Saviynt's default user-account correlation rule is accountname to username, so in this scenario if this is set to 'create' the username matching an account does not exist then the system will create a new user, on 'noaction' will not create a user but the account will be imported. Recommendation here is to keep it to noaction but can vary as per your usecase


For entitlements import there is one in the mapper section:

  • deleteentitlementowner : true/false - this is used to manipulate the entitlement owner data
    • True - will remove old ones and keep the new ones only
    • False - will only add and not remove


Thanks

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 18 2020 at 09:52 UTC

Please find below details of mapper attributes.


Mapper Attribute Value Definition
accountnotinfileaction Suspend 1. Update an account status = "SUSPENDED FROM IMPORT SERVICE"
2. Account name updated with username + "-Deleted on-<currentdate>"
Note: addOnlyMode value should not be true.
delete 1. Delete all entitlements of an account in SSM.
2. Delete Account and its association from a User in SSM.
deleteaccountentitlement true Delete all entitlements of an account in SSM.
false No action
ifusernotexists Create If account's associated user not found in SSM then create a new User.
addOnlyMode true Below operation would not be allowed to perform

1) Update/Delete account's User-Account association
2) Delete all Entitlements of an account
3) Account suspension
date date incrementalcolumn attribute value format would be "dd-MMM-yy"
timestamp incrementalcolumn attribute value format would be timestamp.

Account and assigned entitlements import sample:


<dataMapping>

<before-import>


</before-import>


<sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="name" incrementalcolumn="updatedate" >

<![CDATA[

select * from dbaccountimport

]]>

</sql-query>


<mapper description="This is the mapping field for Saviynt Field name" ifusernotexists="create" date="timestamp">

<mapfield saviyntproperty="accounts.name" sourceproperty="accountname" type="character"></mapfield>

<mapfield saviyntproperty="securitysystems.systemname" sourceproperty="securitysystem" type="character"></mapfield>

<mapfield saviyntproperty="endpoints.endpointname" sourceproperty="endpoint" type="character"></mapfield>

<mapfield saviyntproperty="entitlementtypes.entitlementname" sourceproperty="entitlementtype" type="character"></mapfield>

<mapfield saviyntproperty="entitlementvalues.entitlementvalue" sourceproperty="entitlementvalue" type="character"></mapfield>

<mapfield saviyntproperty="users.username" sourceproperty="username" type="character"></mapfield>

<mapfield saviyntproperty="accounts.status" sourceproperty="status" type="character"></mapfield>

<mapfield saviyntproperty="account_entitlements1.access" sourceproperty="securitysystem" type="character"></mapfield>

</mapper>

<after-import description="EMAIL,BATCH,SQL">

</after-import>

</dataMapping>

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 18 2020 at 12:58 UTC

Thanks a lot Arpit and Pramor

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on February 18 2020 at 21:06 UTC

Follow up question: how dows before-import and after-import work?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on August 25 2020 at 14:32 UTC

How to correlate disable account to user.We are not able to correlate inactive account to user.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on March 7 2022 at 16:21 UTC

How to disable entitlements associated with an entitlement type which no longer exists in the target DB 

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.