We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Active Directory : Account Import is Failing

Suyash_Badnore1
New Contributor III
New Contributor III

Hello Team,

 

Hope you're doing well!

 

We have an Active Directory application, we're facing issue in importing the accounts properly.

When a user account is in Manually Suspended state, after the import completion it should change the account status to Suspended from Import Services but it's not changing the status.

 

PFA the Account attribute JSON and let me know what could be the issues and how can we resolve this?

We were having following attributes in our previous JSON (which was failing) : CUSTOMPROPERTY32::objectGUID#Binary,RECONCILATION_FIELD::CUSTOMPROPERTY32

And currently we're having following (Suggested on the FD request, but is still failing in Production) : CUSTOMPROPERTY32::objectGUID#Binary,RECONCILATION_FIELD::name

 

Regards,

Suyash 

8 REPLIES 8

adriencosson
Regular Contributor III
Regular Contributor III

Hi @Suyash_Badnore1 ,

If you want the status to be changed from "Manually Suspended" to "Suspended From Import Service", you need to :

  • Update your OBJECTFILTER attribute to only fetch Active AD accounts (example below)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))​​

This way the inactive accounts are not part of the import and they should be set to "SUSPENDED FROM IMPORT SERVICE" as this status means it was not recovered by the filter from the target application.

Regards,
Adrien COSSON

Hi @adriencosson ,

 

Actually we have 3 use cases here.

1. Account Active where it's showing status as Active.

2. Inactive Account where it's showing status as InActive.

3. When account is deleted after 30 days it should change status  to "SUSPENDED FROM IMPORT SERVICE" .

 

So, in our case 3rd scenario is not working as expected.

Please suggest something on this?

 

Regards,

Suyash

adriencosson
Regular Contributor III
Regular Contributor III

Hi @Suyash_Badnore1,

Got it, so that means you reconcile all accounts, whatever their status.

You can keep your OBJECTFILTER if it retrieves the accounts when they are in Active are Inactive state.

You may need to configure the STATUS_THRESHOLD_CONFIG attribute like below to enable setting missing / deleted accounts as SUSPENDED FROM IMPORT SERVICE :

{
  "statusAndThresholdConfig": {
    "statusColumn": "customproperty30",
    "deleteLinks": false,
    "accountThresholdValue": 1000,
    "correlateInactiveAccounts": true,
    "inactivateAccountsNotInFile": false
   }
}

Adjust the accountThresholdValue attribute as per need.

Reference documentation : https://docs.saviyntcloud.com/bundle/WD2-v23x/page/Content/Importing-Accounts-and-Access.htm 

Regards,
Adrien COSSON

dgandhi
All-Star
All-Star

Configure Status config

{
"statusAndThresholdConfig": {
"statusColumn": "customproperty17",
"activeStatus": [
"512",
"544",
"66048"
],
"inactiveStatus": [
"546",
"514",
"66050"
],
"deleteLinks": false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false,
"lockedStatusColumn": "customproperty17",
"lockedStatusMapping": {
"Locked": [
"1"
],
"Unlocked": [
"0"
]
}
}
}

  • inactivateAccountsNotInFile: Specify true or false to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, accounts that are not imported during import are marked as inactive. The default value is false.

Document for details:

https://docs.saviyntcloud.com/bundle/AD-v23x/page/Content/Configuring-the-Integration-for-Importing-...

 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

rushikeshvartak
All-Star
All-Star

Please share current status threshold config


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Suyash_Badnore1
New Contributor III
New Contributor III

Hi @adriencosson , @dgandhi , @rushikeshvartak ,

 

PFB the status threshold config we're using, and let me know if anything missing in this?

{
"statusAndThresholdConfig": {
"statusColumn": "customproperty28",
"activeStatus": ["512", "544", "1049088", "66048"],
"deleteLinks": true,
"accountThresholdValue": 35000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}

 

Regards,

Suyash

Suyash_Badnore1
New Contributor III
New Contributor III

Hi Team,

 

Could you please reply with some solution/changes on this?

 

Regards,

Suyash

Can you check the logs close to the Job End to see why the accounts that are not in feed are not getting inactivated. The logs should give the idea on why its not processing.


Regards,
Sahil