Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ADSI Connector - Performance Issues with 'ImportNestedGroupMembership' flag

rakesh_iam
New Contributor
New Contributor

‎10/12/2023 03:31 PM

Hi,

We are using ADSI Connector to reconcile accounts and their access from two domains (domains are within the same forest). We are noticing that the job runs pretty quickly (within 4 mins) when the flag 'ImportNestedGroupMembership' flag is set to false. Total records in DEV AD is ~4500.

But, when the flag is set to true the job takes a lot of time ~2 hrs and even the job doesn't complete successfully. We have checked AD and there are no circular group hierarchy.

Have you faced similar run time issues with the flag 'ImportNestedGroupMembership'? If so, how did you resolve the same?

Thanks,

Rakesh

 

Labels:
0 Kudos
3 REPLIES 3

stalluri
Regular Contributor II
Regular Contributor II

‎10/13/2023 09:01 AM

It will defiantly takes time to pull all those into Saviynt. ADSI will try to pull all the user and access for all the DC individually to make sure it pulls all the data.
2hrs is long for sure. I never used any 'ImportNestedGroupMembership' flag

I am using the default group mapping.
My job:
Full import.
It will take 20 mins to pull 8000 records for full import.
User import will take 6 mins to pull 3500+ users

Incremental:
will take 1-2 mins to complete.

Configuring Nested Groups to Active Directory

You can create an Entitlement type role from Applications > Home > Manage Roles > Create New Role or Admin > Identity Repository > Role > Create Role and specify the Active Directory Group name for the role (parent group) and add the child groups to the role. Ensure that the child entitlements that you plan to add are available in EIC. While creating the role, attach the Active Directory endpoint in which you want to create the nested Active Directory groups. After the role is created, add the child groups (child entitlements) assigned to it and send the role for approval.

After the role is approved, corresponding tasks are created in EIC. To provision the newly created Active Directory nested groups to Active Directory, run the provisioning job (WSRETRY). This job creates new entitlements with the same name as the Role name in the Active Directory endpoint.

Prerequisites

  • You possess a working knowledge of Active Directory concepts such as:

    • Active Directory groups are CN of type member.

    • memberOf is the parent of the Active Directory group.

    • Members are child entitlements of the Active Directory group.

    • Distinguished Name (DN) is the hierarchy and path where the Active Directory groups are located.

Perform the following configuration tasks to enable the nested group management functionality:

  1. Select a workflow:

    1. Go to Admin>Endpoint>Endpoint show of Active Directory endpoint>EntitlementType tab>View details on memberOf entitlementtype.

    2. Select Add Workflow (For example, RoleApprovalWF) in the EntitlementType Show page.

  2. Define the ConnectionConfig entry in the Show Endpoints page:
    {"conf":[{"ADDMEMBERTOENT":"TRUE"},{"ADDUSERTOENT":"TRUE"}]}
    It was configured from the database in the previous releases of EIC.

  3. Define the "groupType" and "objectCategory" properties in the createupdateMappings for the Active Directory connection. The following is a sample with these properties defined:
    2147483646: It represents Global Security Group that includes group members of global scope that are from the same domain as the parent global group.
    2147483644: It represents Local Security Group that includes global and universal group members from any domain but domain local group must be only from the same domain.
    2147483640: It represents Universal Security Group that includes group members of global scope and universal scope.

  4. Set ENABLEGROUPMANAGEMENT to True, TRUE, or true in the Active Directory connection.

  5. Set the Active Directory connection in Admin> Security System.



Please let me know if you need anything else.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

rakesh_iam
New Contributor
New Contributor
In response to stalluri

‎10/16/2023 04:47 PM

Thanks @stalluri  for the detailed response.

I was referring to the below configuration within ADSI Connection,

rakesh_iam_0-1697499939649.png

If we set the flag to false, the job runs quicker and it almost completes within few mins. If the flag is set to true, we are facing issues with the recon jobs. We have checked in AD for circular hierarchy and there were none.

We are not currently managing groups in AD from Saviynt. The issues are with reconciliation process.

Thanks,

Rakesh

0 Kudos

stalluri
Regular Contributor II
Regular Contributor II
In response to rakesh_iam

‎10/17/2023 07:34 AM

@rakesh_iam 

I am also using it as false. 

If you want to make it as true try to map this with only these CP1 ,2,3,4,5.

Best,
Sam.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC