Click HERE to see how Saviynt Intelligence is transforming the industry. |
01/07/2024 11:49 PM
Hi,
AD access import jobs seem to occasionally delete account-entitlements from Saviynt database even if the group memberships are not deleted from AD. We noticed the issue when running incremental AD access import jobs every 30 minutes during the daytime and a full AD access import job at nighttime. When this happens the number of deleted account-entitlements is written to the AD access import job log like this:
In every case the nightly full access import job restored the incorrectly deleted account-entitlements but still this causes some issues because after the bad access import job Saviynt doesn't have correct view of user's AD entitlements which may cause issues with access requests, birthright roles etc.
I'm wondering if this is a known issue and if any configuration in AD connection can cause behavior like this.
best regards,
Sampo
01/08/2024 06:58 PM
Do you see any error in logs and what type of import is done incremental / full
01/09/2024 06:40 AM
Hi @Sampo
As Discussed,
Once change the incremental job times to more than 1hr and see if you are able to see the issue again or not.
Thanks
Darshan
01/23/2024 02:24 AM
The incremental AD access import job is currently not scheduled, but account-entitlements are deleted also when it's run manually just once per a day, so I think the issue is not related to the schedule of the job.
01/23/2024 06:27 AM
Okay please raise a support ticket when it happens and also capture the logs so that we can trouble shoot.
Thanks
Darshan
02/07/2024 07:16 AM
02/07/2024 07:42 PM
In Active Directory (AD), the "memberHash" attribute refers to a hashed representation of the distinguished names (DNs) of the members of a group. This attribute is used primarily for optimization purposes, especially in large Active Directory environments where groups might contain numerous members.
When a group's membership is calculated or queried, AD can use the memberHash attribute to quickly determine whether a given object is a member of the group without having to resolve the full distinguished name of each member.
The memberHash attribute is not directly editable by administrators and is managed internally by Active Directory. It is part of the underlying mechanisms that help optimize group membership operations within the Active Directory environment.