Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD accounts status changes to suspended when group import mapping is changed

bhushan
New Contributor II
New Contributor II

‎07/06/2023 12:15 PM

Hi Team,
 
Usecase: We want to use AD extensionattribute14 as a flag to update status of entitlements. The requestable entitlements will be flagged and set active. This will be used along with endpoint filter
Details: We are using below group import mapping.
{
"importGroupHierarchy": "true",
"entitlementTypeName": "memberOf",
"performGroupAccountLinking": "false",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"mapping":"memberHash:member_char,customproperty1:sAMAccountType_char,customproperty2:instanceType_char,customproperty3:uSNCreated_char,customproperty4:groupType_char,customproperty5:dSCorePropagationData_char,customproperty12:dn_char,customproperty13:cn_char,lastscandate:whenCreated_date,customproperty15:managedBy_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customproperty9:name_char,customproperty10:objectCategory_char,customproperty11:sAMAccountName_char,entitlement_value:distinguishedName_char,entitlementid:objectGUID_Binary,customproperty14:objectClass_char,updatedate:whenChanged_date,customproperty17:distinguishedName_char,RECONCILATION_FIELD:customproperty18,customproperty18:objectGUID_Binary,status:extensionAttribute14_char",
"activeGroupPossibleValues": ["active","a","l","TRUE","requestable"]
}
 
This does set the entitlements to active and inactive as per the use case.
 
Issue Details: When accounts are imported the accounts status is updated to suspended from import service.
When we update the mapping i.e. copy from document as is, it gets the account with active status. The existing account is not activated instead a new account is created.
The reconciliation field is objectGUID in the account import mapping.
Has anyone faced this earlier
 
Thanks,
Bhushan
Labels:
0 Kudos
6 REPLIES 6

dgandhi
All-Star
All-Star

‎07/06/2023 12:24 PM

Hi @bhushan 

If the status of the account is SUSPENDED FROM IMPORT SERVICE and in account name -Deleted tag is added then Saviynt will create new account (when next recon happens and account is part of the import.) It wont make existing -Deleted account as Active.

Above is the expected behaviour.

 

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

0 Kudos

bhushan
New Contributor II
New Contributor II
In response to dgandhi

‎07/06/2023 12:30 PM

ok but, why the accounts are updated to suspended from import service if we change the group import mapping. If we update the status mapping all the accounts in the endpoints are suspended.

0 Kudos

dgandhi
All-Star
All-Star
In response to bhushan

‎07/06/2023 12:32 PM

Status of the account will be updated based on your account import json. Can you paste that?

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

0 Kudos

bhushan
New Contributor II
New Contributor II

‎07/06/2023 12:35 PM

[name::sAMAccountName#String,
CUSTOMPROPERTY1::CN#String,
DISPLAYNAME::displayName#String,
CUSTOMPROPERTY3::givenName#String,
ACCOUNTCLASS::objectClass#String,
ACCOUNTID::distinguishedName#String,
status::userAccountControl#String,
LASTLOGONDATE::lastLogon#millisec,
CUSTOMPROPERTY2::employeeType#String,
CUSTOMPROPERTY4::userPrincipalName#String,
CUSTOMPROPERTY5::sn#String,
CUSTOMPROPERTY6::c#String,
CUSTOMPROPERTY7::title#String,
CUSTOMPROPERTY8::physicalDeliveryOfficeName#String,
CUSTOMPROPERTY9::telephoneNumber#String,
CUSTOMPROPERTY10::department#String,
CUSTOMPROPERTY11::employeeID#String,
CUSTOMPROPERTY12::countryCode#String,
CUSTOMPROPERTY13::middleName#String,
CUSTOMPROPERTY14::manager#String,
CUSTOMPROPERTY15::userAccountControl#String,
CUSTOMPROPERTY16::objectGUID#Binary,
CUSTOMPROPERTY17::mail#String,
description::description#String,
RECONCILATION_FIELD::CUSTOMPROPERTY16

]

0 Kudos

Saathvik
All-Star
All-Star
In response to bhushan

‎07/06/2023 01:42 PM

groupImportMapping changes shouldn't impact Account import or their status. Is there anything you changed in connection apart from groupImportMapping


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

bhushan
New Contributor II
New Contributor II
In response to Saathvik

‎07/06/2023 01:57 PM

No, I did not change anything other than group import mapping. 

0 Kudos
Copyright © 2024 Khoros, LLC