Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/26/2024 10:48 PM
Hi Team,
We have a parent active directory P and we have 3 child endpoints C1, C2,C3.
Entitlement Account Operators is common for all endpoints and an account associated with it is SVC.
We can see SVC under account operators entitlement in Parent Endpoint
We can not see SVC under account operators in Child endpoint.
What is the issue here, any detailed explanation on how to manage
1) parent, child connections if we connect them as isolated endpoints in Saviynt
(or) 2) if we connect them as dependent endpoints through endpoint filter.
We have UAR going on and thi is very critical aspect, any response is highly appreciated.
05/26/2024 11:22 PM
Endpoint filter creates new entitlement with child endpoint and reference to parent endpoint . Make sure entitlement has at least one account so that entitlement can be filtered in application. Certification done on child will remove parent entitlement mapping also
05/26/2024 11:27 PM
We are not using endpoint filter in this scenario. In target they are parent and child endpoints. But in Saviynt all the endpoints (parent and child) are integrated as an independent connection. So, in this case what is the behaviour of entitlements and respective accounts in parent and child in saviynt.
05/26/2024 11:39 PM
So its always 1 connection 1 security system 1 endpoint ? If yes then there should not be any data issues
05/26/2024 11:56 PM
Yes, supposedly but in our case, we can't see some service accounts which are common across endpoints are visible only in parent endpoint and not child endpoint. We have below groupimportmapping JSON, we see that performgroupaccountlinking to be set as true as per documentation and we changed in QA and ran the jobs but still we dont see those accounts showingup. Any other we see here ?
{
"entitlementTypeName": "",
"performGroupAccountLinking": "false",
"importnestedmembershipoutofscope": "false",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"importGroupHierarchy": "true",
"mapping": "memberHash:member_char,customproperty1:sAMAccountType_char,customproperty2:instanceType_char,customproperty3:uSNCreated_char,customproperty4:groupType_char,customproperty5:dSCorePropagationData_char,customproperty6:whenCreated_date,customproperty8:isCriticalSystemObject_char,customproperty9:name_char,customproperty10:objectCategory_char,customproperty11:sAMAccountName_char,customproperty12:dn_char,customproperty13:cn_char,customproperty14:objectClass_char,customproperty17:objectGUID_Binary,customproperty18:distinguishedName_char,lastscandate:whenCreated_date,entitlement_glossary:description_char,status:isCriticalSystemObject_char,entitlement_value:distinguishedName_char,entitlementid:distinguishedName_char,updatedate:whenChanged_date,description:description_char,RECONCILATION_FIELD:customproperty17"
}
05/27/2024 12:04 AM
What is account missing ? Does it under same object filter ?
05/27/2024 03:42 AM
Account is SVC and associated group/Entitlement is Account Operators.. Now in parent endpoint both showup.
In Child endpoint, only entitlement - Account operators show up but not associated account SVC
05/27/2024 09:30 AM
Please share connections config . This looks like configuration issue