Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AD account correlation with employee ID - looking for possible ways to avoid accidental correlation

Arita
New Contributor
New Contributor

Hi Team,

We have an AD account correlation rule based on employee ID and other attributes. Recently we ran into a situation where 30 K accounts were correlated to a user. This happened because all service accounts are categorized as Non Human in AD and also for some business reasons, employee ID of an user in source was changed to Non Human and when the user import happened, all service accounts were tagged to this user as the account and employee id matches.

I wanted suggestions to avoid these situation in future from Saviynt perspective.

- Can there be any work around in user account correlation rule like advanced query etc.,

- Restrict the emp ID format coming from source

- Any other suggestions

8 REPLIES 8

rushikeshvartak
All-Star
All-Star

You can add restriction in endpoint- user correlation rule


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Arita
New Contributor
New Contributor

Thank you Rushikesh.I understand from your response that we can add a restriction in account correlation rule using advanced config right? 

Would you have a sample config to restrict the format of employee ID to accept certain format or reject certain format

users.username=accounts.name # concat(users.lastname,left(users.firstname,2))=accounts.customptroperty30

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thanks Rushikesh. We have something like below, but still correlation is not working properly. Any suggestions to modify the query.

case when user.employeeid not like ('%NonHuman%' or '%non human%') then accounts.customproperty20=user.employeeid or accounts.customproperty35=user.email

case when user.employeeid not like ('%NonHuman%' or '%non human%') then accounts.customproperty20=user.employeeid or accounts.customproperty35=user.email else accounts.customproperty40=user.customproperty40


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Arita
New Contributor
New Contributor

Hi Rushikesh,

The above format isn't working. so modified something like below. It's working.

case when users.employeeid not like '%Human%' then (accounts.customproperty1=users.employeeid) or (accounts.name=users.email) or (accounts.customproperty26=users.email) or (accounts.customproperty25=users.email) end

But I was looking some config to consider  complete word 'non human', I'm still trying combinations if nothing works out, will stick to the above.

CASE
WHEN LOWER(users.employeeid) NOT LIKE '%non human%'
THEN
(accounts.customproperty1 = users.employeeid)
OR (accounts.name = users.email)
OR (accounts.customproperty26 = users.email)
OR (accounts.customproperty25 = users.email)
END


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Arita
New Contributor
New Contributor

Thanks Rushikesh. the above one works if space exists between Non and Human and if it is NONHUMAN it doesn't correlate. To avoid any such errors, we planned to stick to case when users.employeeid not like '%Human%' then (accounts.customproperty1=users.employeeid) or (accounts.name=users.email) or (accounts.customproperty26=users.email) or (accounts.customproperty25=users.email) end