Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/11/2023 09:13 AM - edited 09/11/2023 09:23 AM
Hello Team,
Hope you're doing well!
We have an Active Directory application, we're facing issue in importing the accounts properly.
When a user account is in Manually Suspended state, after the import completion it should change the account status to Suspended from Import Services but it's not changing the status.
PFA the Account attribute JSON and let me know what could be the issues and how can we resolve this?
We were having following attributes in our previous JSON (which was failing) : CUSTOMPROPERTY32::objectGUID#Binary,RECONCILATION_FIELD::CUSTOMPROPERTY32
And currently we're having following (Suggested on the FD request, but is still failing in Production) : CUSTOMPROPERTY32::objectGUID#Binary,RECONCILATION_FIELD::name
Regards,
Suyash
09/11/2023 01:15 PM
Hi @Suyash_Badnore1 ,
If you want the status to be changed from "Manually Suspended" to "Suspended From Import Service", you need to :
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
This way the inactive accounts are not part of the import and they should be set to "SUSPENDED FROM IMPORT SERVICE" as this status means it was not recovered by the filter from the target application.
09/11/2023 01:36 PM
Hi @adriencosson ,
Actually we have 3 use cases here.
1. Account Active where it's showing status as Active.
2. Inactive Account where it's showing status as InActive.
3. When account is deleted after 30 days it should change status to "SUSPENDED FROM IMPORT SERVICE" .
So, in our case 3rd scenario is not working as expected.
Please suggest something on this?
Regards,
Suyash
09/11/2023 02:55 PM
Hi @Suyash_Badnore1,
Got it, so that means you reconcile all accounts, whatever their status.
You can keep your OBJECTFILTER if it retrieves the accounts when they are in Active are Inactive state.
You may need to configure the STATUS_THRESHOLD_CONFIG attribute like below to enable setting missing / deleted accounts as SUSPENDED FROM IMPORT SERVICE :
{
"statusAndThresholdConfig": {
"statusColumn": "customproperty30",
"deleteLinks": false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}
Adjust the accountThresholdValue attribute as per need.
Reference documentation : https://docs.saviyntcloud.com/bundle/WD2-v23x/page/Content/Importing-Accounts-and-Access.htm
09/11/2023 04:56 PM
Configure Status config
{
"statusAndThresholdConfig": {
"statusColumn": "customproperty17",
"activeStatus": [
"512",
"544",
"66048"
],
"inactiveStatus": [
"546",
"514",
"66050"
],
"deleteLinks": false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false,
"lockedStatusColumn": "customproperty17",
"lockedStatusMapping": {
"Locked": [
"1"
],
"Unlocked": [
"0"
]
}
}
}
inactivateAccountsNotInFile: Specify true or false to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, accounts that are not imported during import are marked as inactive. The default value is false.
Document for details:
Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
09/11/2023 06:43 PM
Please share current status threshold config
09/12/2023 07:54 AM
Hi @adriencosson , @dgandhi , @rushikeshvartak ,
PFB the status threshold config we're using, and let me know if anything missing in this?
{
"statusAndThresholdConfig": {
"statusColumn": "customproperty28",
"activeStatus": ["512", "544", "1049088", "66048"],
"deleteLinks": true,
"accountThresholdValue": 35000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}
Regards,
Suyash
09/18/2023 08:39 AM
Hi Team,
Could you please reply with some solution/changes on this?
Regards,
Suyash
09/26/2023 09:31 AM
Can you check the logs close to the Job End to see why the accounts that are not in feed are not getting inactivated. The logs should give the idea on why its not processing.