Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/14/2024 10:10 PM
Hi Team,
We have an AD account correlation rule based on employee ID and other attributes. Recently we ran into a situation where 30 K accounts were correlated to a user. This happened because all service accounts are categorized as Non Human in AD and also for some business reasons, employee ID of an user in source was changed to Non Human and when the user import happened, all service accounts were tagged to this user as the account and employee id matches.
I wanted suggestions to avoid these situation in future from Saviynt perspective.
- Can there be any work around in user account correlation rule like advanced query etc.,
- Restrict the emp ID format coming from source
- Any other suggestions
Solved! Go to Solution.
05/14/2024 10:27 PM
You can add restriction in endpoint- user correlation rule
05/14/2024 10:52 PM
Thank you Rushikesh.I understand from your response that we can add a restriction in account correlation rule using advanced config right?
Would you have a sample config to restrict the format of employee ID to accept certain format or reject certain format
05/15/2024 08:06 PM
users.username=accounts.name # concat(users.lastname,left(users.firstname,2))=accounts.customptroperty30
05/22/2024 12:18 AM
Thanks Rushikesh. We have something like below, but still correlation is not working properly. Any suggestions to modify the query.
case when user.employeeid not like ('%NonHuman%' or '%non human%') then accounts.customproperty20=user.employeeid or accounts.customproperty35=user.email
05/22/2024 10:33 PM
case when user.employeeid not like ('%NonHuman%' or '%non human%') then accounts.customproperty20=user.employeeid or accounts.customproperty35=user.email else accounts.customproperty40=user.customproperty40
05/31/2024 09:08 AM
Hi Rushikesh,
The above format isn't working. so modified something like below. It's working.
case when users.employeeid not like '%Human%' then (accounts.customproperty1=users.employeeid) or (accounts.name=users.email) or (accounts.customproperty26=users.email) or (accounts.customproperty25=users.email) end
But I was looking some config to consider complete word 'non human', I'm still trying combinations if nothing works out, will stick to the above.
06/03/2024 08:10 PM
CASE
WHEN LOWER(users.employeeid) NOT LIKE '%non human%'
THEN
(accounts.customproperty1 = users.employeeid)
OR (accounts.name = users.email)
OR (accounts.customproperty26 = users.email)
OR (accounts.customproperty25 = users.email)
END
06/07/2024 03:25 AM
Thanks Rushikesh. the above one works if space exists between Non and Human and if it is NONHUMAN it doesn't correlate. To avoid any such errors, we planned to stick to case when users.employeeid not like '%Human%' then (accounts.customproperty1=users.employeeid) or (accounts.name=users.email) or (accounts.customproperty26=users.email) or (accounts.customproperty25=users.email) end