Click HERE to see how Saviynt Intelligence is transforming the industry.
|
Click HERE to see how Saviynt Intelligence is transforming the industry.
|
Requirement:
We are currently managing an AD Group-based application with five entitlements, utilizing AD Logical Applications for configuration(https://docs.saviyntcloud.com/bundle/KBAs/page/Content/Logical-Active-Directory-Applications.htm).
To integrate the ABC application, we created an additional connection named "ABC_Connection" and established a Security System specific to the ABC application. We also configured five Organizational Units (OUs) in the Endpoint filter for the new logical application "ABC-Child," resulting in the creation of a Child Application. Separate provisioning and import data jobs were also set up for this Logical Application.
Our existing setup includes the following AD components:
AD Security System -Select EntitlementsOnly for the Create Task action in the security system.
AD Endpoint Parent
AD Connection-Endpoint Filter
AD Provisioning Job
AD Application Importing Job
Issue:
When a user submits a request for the ABC-Child application, the request is successfully created, tasks for Add access are generated, the account is created in the requested OU, and entitlement access is assigned as expected. However, we encountered a problem during the data import process for the Logical Application:
Error Message:
Duplicate entry '52-CN=EndUser20 EndUser20 (eenduser20),OU=Active,OU=Accounts,OU=' for key 'ENDPOINTKEY'
Additionally, we observed the following discrepancies:
An active account in the Parent Application
A deleted account in the parent endpoint.
A separate account in manually provisioned state in the Child Application due to the import failure caused by the duplicate entry issue
Objective:
We aim to ensure that only a single account is created for each user. Specifically, when a user requests access to the Child Application, we want the relevant group to be assigned to the existing user account (ABC-Parent) rather than creating a new account. This approach should prevent duplicate account creation and streamline the entitlement assignment process.
Request for Assistance:
We seek guidance on how to resolve the duplicate entry issue and prevent the creation of multiple accounts for a single user. Any advice or recommendations on configuration adjustments, troubleshooting steps, or best practices would be greatly appreciated.
Thank you for your assistance!
Hi @rushikeshvartak @NM @stalluri,
We have resolved the duplicate account entry issue.
Now there is another issue which we are facing: The accounts under Child Endpoint are not getting reconciled. The status of the account is in 'Manually Provisioned' state.
We tried debugging and found that the microservice job is partially successful with Child Endpoint sync failure and its details as shown below.
Failed applications and failure details: [CW_<ABC>_Child:Direct self-reference leading to cycle (through reference chain: com.saviynt.ssm.entity.EndpointsElastic["parentEndpointkey"]->com.saviynt.ecm.identit, CW_<ABC>:Direct self-reference leading to cycle (through reference chain: com.saviynt.ssm.entity.EndpointsElastic["parentEndpointkey"]->com.saviynt.ecm.identit]
Kindly let us know how do we proceed here.
Regards,
Saksham
