Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD account correlation with employee ID - looking for possible ways to avoid accidental correlation

Go to solution
Arita
New Contributor II
New Contributor II

‎05/14/2024 10:10 PM

Hi Team,

We have an AD account correlation rule based on employee ID and other attributes. Recently we ran into a situation where 30 K accounts were correlated to a user. This happened because all service accounts are categorized as Non Human in AD and also for some business reasons, employee ID of an user in source was changed to Non Human and when the user import happened, all service accounts were tagged to this user as the account and employee id matches.

I wanted suggestions to avoid these situation in future from Saviynt perspective.

- Can there be any work around in user account correlation rule like advanced query etc.,

- Restrict the emp ID format coming from source

- Any other suggestions

Labels:
0 Kudos
8 REPLIES 8

Go to solution
rushikeshvartak
All-Star
All-Star

‎05/14/2024 10:27 PM

You can add restriction in endpoint- user correlation rule


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
Arita
New Contributor II
New Contributor II

‎05/14/2024 10:52 PM

Thank you Rushikesh.I understand from your response that we can add a restriction in account correlation rule using advanced config right? 

Would you have a sample config to restrict the format of employee ID to accept certain format or reject certain format

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Arita

‎05/15/2024 08:06 PM 

users.username=accounts.name # concat(users.lastname,left(users.firstname,2))=accounts.customptroperty30

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
Arita
New Contributor II
New Contributor II
In response to rushikeshvartak

‎05/22/2024 12:18 AM

Thanks Rushikesh. We have something like below, but still correlation is not working properly. Any suggestions to modify the query.

case when user.employeeid not like ('%NonHuman%' or '%non human%') then accounts.customproperty20=user.employeeid or accounts.customproperty35=user.email

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Arita

‎05/22/2024 10:33 PM

case when user.employeeid not like ('%NonHuman%' or '%non human%') then accounts.customproperty20=user.employeeid or accounts.customproperty35=user.email else accounts.customproperty40=user.customproperty40


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
Arita
New Contributor II
New Contributor II

‎05/31/2024 09:08 AM

Hi Rushikesh,

The above format isn't working. so modified something like below. It's working.

case when users.employeeid not like '%Human%' then (accounts.customproperty1=users.employeeid) or (accounts.name=users.email) or (accounts.customproperty26=users.email) or (accounts.customproperty25=users.email) end

But I was looking some config to consider  complete word 'non human', I'm still trying combinations if nothing works out, will stick to the above.

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Arita

‎06/03/2024 08:10 PM

CASE
WHEN LOWER(users.employeeid) NOT LIKE '%non human%'
THEN
(accounts.customproperty1 = users.employeeid)
OR (accounts.name = users.email)
OR (accounts.customproperty26 = users.email)
OR (accounts.customproperty25 = users.email)
END


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
1 person found this solution to be helpful.
0 Kudos

Go to solution
Arita
New Contributor II
New Contributor II

‎06/07/2024 03:25 AM

Thanks Rushikesh. the above one works if space exists between Non and Human and if it is NONHUMAN it doesn't correlate. To avoid any such errors, we planned to stick to case when users.employeeid not like '%Human%' then (accounts.customproperty1=users.employeeid) or (accounts.name=users.email) or (accounts.customproperty26=users.email) or (accounts.customproperty25=users.email) end

0 Kudos
Copyright © 2024 Khoros, LLC