Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Incremental Account Import is not changing AD account status to Inactive

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 1 2020 at 10:57 UTC

Hi,


I am not able to achieve the below requirement, can anyone please .


1. I want the status of account to be inactive when my AD account is disabled . I am doing incremental import but account status still remains active.


I have put in configurations for AD Connector as below:

Account_Attribute : [NAME::sAMAccountName#String,

DISPLAYNAME::displayName#String,

ACCOUNTID::distinguishedName#String,

UPDATEDATE::whenChanged#date,

CREATED_ON::whenCreated#date,

CUSTOMPROPERTY1::givenName#String,

CUSTOMPROPERTY2::sn#String,

CUSTOMPROPERTY3::initials#String,

CUSTOMPROPERTY4::employeeNumber#String,

CUSTOMPROPERTY5::description#String,

CUSTOMPROPERTY6::userPrincipalName#String,

CUSTOMPROPERTY7::userAccountControl#String]


Status_Threshold :

{

"statusAndThresholdConfig":

{

"statusColumn":"customproperty7",

"activeStatus":["512","544"],

"deleteLinks": false,

"accountThresholdValue" : 100000,

"correlateInactiveAccounts":true

}

}


2. Can I change the status of the account in Saviynt to Suspended from Import service only when target AD account is deleted?


3. Can I reconcile and map other attributes of an inactive AD account to Saviynt's user?

UserUpdateJSON:

{"distinguishedName":"${user.customproperty1}"

}

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
4 REPLIES 4

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 1 2020 at 11:24 UTC

Hi Rituparna,


Greetings!!


Please find my answers Inline:


1. I want the status of account to be inactive when my AD account is disabled . I am doing incremental import but account status still remains active.

I have put in configurations for AD Connector as below:

Account_Attribute : [NAME::sAMAccountName#String,

DISPLAYNAME::displayName#String,

ACCOUNTID::distinguishedName#String,

UPDATEDATE::whenChanged#date,

CREATED_ON::whenCreated#date,

CUSTOMPROPERTY1::givenName#String,

CUSTOMPROPERTY2::sn#String,

CUSTOMPROPERTY3::initials#String,

CUSTOMPROPERTY4::employeeNumber#String,

CUSTOMPROPERTY5::description#String,

CUSTOMPROPERTY6::userPrincipalName#String,

CUSTOMPROPERTY7::userAccountControl#String]


Anand : Configuration looks good. But, Could you please let us know the SSM version you are using? Additionally, I would recommend you to use RECONCILATION_FIELD to ObjectGUID to track modifications for that object and to maintain uniqueness of object in SSM.


Status_Threshold :

{

"statusAndThresholdConfig":

{

"statusColumn":"customproperty7",

"activeStatus":["512","544"],

"deleteLinks": false,

"accountThresholdValue" : 100000,

"correlateInactiveAccounts":true

}

}


Anand : Configuration looks good. Need SSM Version details. Additionally/Optionally You could use below control to mark Status of accounts to SUSPENDED FROM IMPORT SERVICE/INACTIVE.

"inactivateAccountsNotInFile"

InactivateAccountsNotInFile : Set as false to mark the deleted accounts from the target as “SUSPENDED FROM ACCOUNT IMPORT”. If you want to retain “INACTIVE” status of deleted accounts at target, exclude this key-value pair.


2. Can I change the status of the account in Saviynt to Suspended from Import service only when target AD account is deleted?


Anand : Apart from deletion, This can be achieved in cases, where you have moved the user to some different container which is not in scope of import.


3. Can I reconcile and map other attributes of an inactive AD account to Saviynt's user?

UserUpdateJSON:

{"distinguishedName":"${user.customproperty1}"

}


Anand : This JSON is meant for User Update provisioning and not for recon.


Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 1 2020 at 11:39 UTC

Hi Anand,


Thanks for the quick reply. we are using 5.5SP2 version of SSM.


for Question#3 , I am running UserImport Job to bring in some attributes of AD account into User property hence using the UpdateUserJSON. So the user's CP1 contains DN of the Ad account.

So my use case is after AD account got disabled and is moved to OU=disabled , can I bring in the New OU of the User into the CP 1.


Can you please elaborate your answer for Question 2.


For Question 1, should I use the config as InactivateAccountsNotInFile : false. Will this make Saviynt's account status as inactive during incremental import?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 1 2020 at 12:00 UTC

Hi Rituparna,


This feature to bring inactive status of accounts in incremental import has been introduced in V6.0.

You could get in touch with you Saviynt counterpart executive for a patch for the same once it is released.


Until then you could run, Full Accounts Import to bring such status.


For User Attributes update in SSM as a part of User Import, I would recommend you to use User_ATTRIBUTE mapping in the connector.


UPDATEUSERJSON is used only for user update provisioning.


Regarding Point 2, Let's say, You are having 2 containers/OUs in AD, lets say OU=Users and OU=DeletedUsers and you have marked your SEARCHFILTER to OU=Users the it will mark account's status coming from this container as Active/Inactive. Any Account which is moved from this OU=Users to OU=DeletedUsers (either on termination or disable operation) which will brought in as SUSPENDED FROM IMPORT SERVICE . Because this is out of scope of our import.

Also please make sure to add below control in STATUS_THRESHOLD_CONFIG i.e.

"inactivateAccountsNotInFile": false


Hope it helps.


Thanks & Regards,

Anand Kumar Jha


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on October 2 2020 at 16:48 UTC

Thanks a lot for your help Anand

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.