Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/12/2024 04:21 AM
Hi
I found this Note on AD connector documentation stating a difference in Full and incremental data import functionality. Is it also true for ADSI connector? I will test and see in near future but in case anyone can share their experience on this would be helpful.
Please let me know in case you have any further questions.
Regards
Gaurav
Solved! Go to Solution.
09/12/2024 08:03 AM
@GauravJain
ADSI Import Recommendations
During incremental import, the connector does not perform the account threshold check and also does not inactivate accounts missing from import.
For importing data from the target application to EIC, Saviynt recommends the following:
On the first day: When configuring the connection for the first time, perform a full import of objects (accounts, access, or users) to bring in all existing records from the target application to EIC.
When running a full import, ensure that you run the account import before running the access import.
Saviynt recommends running a full import every seven days to bring in any missing data. For more information, see Known Issues.
The connector performs the following actions while importing accounts:
Obtains accounts from a target directory (Active Directory or an LDAP-based directory) in batches based on the PAGE_SIZE value. Each batch obtains the number of records equal to the specified page size.
Stores each batch of accounts in a temporary table.
Copies the temporary table entries to the Accounts table after all the accounts are stored in the temporary table. In case of an error while writing the accounts to the database, the entire transaction is rolled back.
The connector performs the following actions while importing groups:
Imports all the groups from Active Directory to EIC. Groups are associated with all imported accounts within the domain irrespective of the group filters. However, metadata for associated groups and nested entitlements is not imported. This action imports accounts also.
Obtains the groups based on the groupImportMapping value.
Triggers the full account import job based on the OBJECTFILTER and BASE values.
Obtains all accounts associated with the group.
Performs access import based on the ENDPOINTS_FILTER value, if any.
On the nth day: After the first full import, you can run incremental import for bringing in only the changes that are made in the target application after the last full import. From the next run onwards, only records created or modified after the value in the whenChanged attribute of Active Directory are considered for import.
For an incremental user import, the UPDATEDATE attribute of the connector (specified in USER_ATTRIBUTE) looks for the maximum value of the Active Directory whenChanged user attribute. The connector also checks for the CREATED_ON attribute and the JobID.
For an incremental account import, the UPDATEDATE attribute of the connector (specified in ACCOUNT_ATTRIBUTE) looks for the maximum value of the Active Directory whenChanged account attribute.
For an incremental group import, the incrementalTimeField attribute of the connector (specified in groupImportMapping) looks for the maximum value of the Active Directory whenChanged group attribute. The connector also checks for lastscandate and updateDate attributes (specified in groupImportMapping) and incrementally obtains the accounts associated with these groups.
Saviynt recommends running the incremental import on a daily basis.
09/12/2024 08:08 AM
@GauravJain Mentioned stays true for ADSI as well as for AAD