Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Active Directory Endpoint Filtering resulting in creating duplicate entitlements

sandeepgudipudi
New Contributor III
New Contributor III

We have a AD groups and have begun using EndPoint filtering on our AD connector.

However, this has had the result of creating duplicate entitlements and Entitlement values are imported in one group and accounts are imported in other group

 

 

sandeepgudipudi_3-1715419153160.png

 

 

 

14 REPLIES 14

NM
Regular Contributor III
Regular Contributor III

Hi @sandeepgudipudi , share groupimportmapping json

sandeepgudipudi
New Contributor III
New Contributor III

group import json

 

{"importGroupHierarchy":"true","entitlementTypeName":"memberOf","performGroupAccountLinking":"true","incrementalTimeField":"whenChanged","groupObjectClass":"(objectclass=group)","mapping":"memberHash:member_char,customproperty1:sAMAccountType_char,customproperty2:instanceType_char,customproperty3:uSNCreated_char,customproperty4:groupType_char,customproperty5:dSCorePropagationData_char,customproperty12:dn_char,customproperty13:cn_char,lastscandate:whenCreated_date,customproperty15:managedBy_char,description:description_char,displayname:name_char,customproperty9:name_char,customproperty10:objectCategory_char,customproperty11:sAMAccountName_char,entitlement_value:distinguishedName_char,entitlementid:distinguishedName_char,customproperty14:objectClass_char,updatedate:whenChanged_date,customproperty17:distinguishedName_char,RECONCILATION_FIELD:customproperty18,customproperty18:objectGUID_Binary","activeGroupPossibleValues":[],"entitlementOwnerAttribute":"managedBy","tableFieldAttribute":"comments"}

 

 

endpoint_filter

{
"Application Role Provisioning (SOX in-scope)":
[{"memberOf":
["CN=All-Juniper-PSFT-Users,OU=MIM-Static,OU=Distribution Lists,OU=Common,DC=jnpr,DC=net",
"CN=Domain Admins,OU=T0-Admins,OU=T0-Groups,OU=Tier 0,OU=Admin,DC=jnpr,DC=net",
"CN=Schema Admins,OU=T0-Admins,OU=T0-Groups,OU=Tier 0,OU=Admin,DC=jnpr,DC=net",
"CN=%,OU=SOX in-scope,OU=Access-Control,OU=Groups,OU=Common,DC=jnpr,DC=net"]
}
]
}

Can you remove special characters from endpoint name


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@sandeepgudipudi : Are both groups Active? Can you share the entitlementID value for both groups? 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Entitlement values for both is same

CN=Domain Admins,OU=T0-Admins,OU=T0-Groups,OU=Tier 0,OU=Admin,DC=jnpr,DC=net

Share output for below query from data anlyzer

select entitlementid,entitlement_value,status, entitlement_valuekey from entitlement_values where entitlement_value in ()

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@sandeepgudipudi : I am looking for EntitlementID value, please share the output of the SQL query Rushi shared.

select entitlementid,entitlement_value,status, entitlement_valuekey, job_id from entitlement_values where entitlement_value in ('xxxx')


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

here is the output for the query

 

sandeepgudipudi_0-1715697077402.png

 

Inactive entitlement without entitlement from UI


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

We did inactivated 1 entitlement and on next run it got activated

  • Append -old to entitlement and make inactive

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

sandeepgudipudi
New Contributor III
New Contributor III

this is production and cant remove special characters from endpoint name, if we remove it will create a new end point..

Is there any limitation/restriction on end point naming convention?

You can validate same in lower enviorment


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Its validated in lower environment and duplicate entitlements are not created