Saviynt Forums

Sampo · ‎01/07/2024

Hi,

AD access import jobs seem to occasionally delete account-entitlements from Saviynt database even if the group memberships are not deleted from AD. We noticed the issue when running incremental AD access import jobs every 30 minutes during the daytime and a full AD access import job at nighttime. When this happens the number of deleted account-entitlements is written to the AD access import job log like this:

In every case the nightly full access import job restored the incorrectly deleted account-entitlements but still this causes some issues because after the bad access import job Saviynt doesn't have correct view of user's AD entitlements which may cause issues with access requests, birthright roles etc.

I'm wondering if this is a known issue and if any configuration in AD connection can cause behavior like this.

best regards,

Sampo

rushikeshvartak · ‎01/08/2024

Do you see any error in logs and what type of import is done incremental / full

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Darshanjain · ‎01/09/2024

Hi @Sampo

As Discussed,

Once change the incremental job times to more than 1hr and see if you are able to see the issue again or not.

Thanks

Darshan

Sampo · ‎01/23/2024

The incremental AD access import job is currently not scheduled, but account-entitlements are deleted also when it's run manually just once per a day, so I think the issue is not related to the schedule of the job.

Darshanjain · ‎01/23/2024

Okay please raise a support ticket when it happens and also capture the logs so that we can trouble shoot.

Thanks

Darshan

Sampo · ‎02/07/2024

It looks like the incremental AD access import deleted access-entitlements for groups whose memberships had been modified (for example by provisioning access for a user).

I added the following config to 'Active Directory' connection groupImportMappings because it's mentioned in example configs in docs.saviyntcloud.com/bundle/AD-v24x/page/Content/Configuring-the-Integration-for-Importing-Accounts...

memberHash:member_char

Saviynt documentation doesn't clearly explain what it does but maybe it makes Saviynt to import group membership along with the group and for some reason only affects incremental import. I wasn't able to reproduce the issue in dev env after making this change (with a couple of attempts). Do you know what this mapping does and if missing the memberHash mapping could be reason for this issue?

rushikeshvartak · ‎02/07/2024

In Active Directory (AD), the "memberHash" attribute refers to a hashed representation of the distinguished names (DNs) of the members of a group. This attribute is used primarily for optimization purposes, especially in large Active Directory environments where groups might contain numerous members.

When a group's membership is calculated or queried, AD can use the memberHash attribute to quickly determine whether a given object is a member of the group without having to resolve the full distinguished name of each member.

The memberHash attribute is not directly editable by administrators and is managed internally by Active Directory. It is part of the underlying mechanisms that help optimize group membership operations within the Active Directory environment.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

AD access import job occasionally deletes account-entitlements