Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/17/2023 07:45 AM
We configured Azure AD Access Import but it has been failing as one of the entitlement value is greater than 255 characters.
[quartzScheduler_Worker-23] DEBUG generic.GenericProvisioningService - INFO ErEx: processAADGroupList:persistObjects : Data truncation: Data too long for column 'ENTITLEMENT_VALUE' at row 1
Is there a way I can exclude this particular entitlement in the ENTITLEMENT_FILTER_JSON config?
04/17/2023 10:37 AM
The exclusion filter for Entitlement is currently not supported. But you can definitely raise this enhancement in Ideas portal. I would recommend if you could update the name of the entitlement in Target.
04/18/2023 08:24 AM
Can you provide me working sample of ENTITLEMENT_FILTER_JSON.
I see in the documentation there is a sample of this, but we are trying to understand the syntax of it to use it in a more efficient way.
Something that is mentioned on the below Forums for ACCOUNTS_FILTER.
https://forums.saviynt.com/t5/identity-governance/accounts-filter-issue/td-p/26209
I tried using the filter as suggested in the below forums link
https://forums.saviynt.com/t5/identity-governance/import-only-certain-groups-using-azure-ad-ootb-con...
But I receive the below error in the logs.
If you can provide more information on precise syntax to use other Azure attributes in the filter conditions or more examples of how to use this config, it will be helpful.
04/18/2023 08:37 PM
{
"group_filter":"startswith(displayname,'AZ')&$count=true"
}
04/18/2023 09:09 PM
I already tried using it as in the above mentioned post's link.
This is what I had in the access import job.
{
"importEntTypes": {
"AADGroup": {}
},
"ENTITLEMENT_FILTER_JSON": {
"group_filter":"startswith(displayname,'gCld')&$count=true"
}
}
But the job is failing with the below error. Am I missing something?
Error deleteAcctEntMapping | groovy.lang.MissingPropertyException: No such property: accentKey for class: com.saviynt.provisoning.azure.AzureADProvisioningService |
04/18/2023 09:17 PM
This syntax is for one of the connection attribute supported in v2022.x onwards not in job json
04/19/2023 03:09 AM
Do you mean "ENTITLEMENT_FILTER_JSON" is not even supported at connector level in versions prior to v2022.x?
04/24/2023 02:32 AM
@SB is this something you can confirm?
04/24/2023 08:10 AM
The ENTITLEMENT_FILTER_JSON will be available at Connection level and you would not see this parameter in the unsupported versions. This was introduced from v2022.x and v5.5 SP3.13.x onwards.
04/25/2023 01:55 AM
@SB we currently are in SP3.13 and within the Azure AD connector's ENTITLEMENT_FILTER_JSON I configured the below.
{
"group_filter":"startswith(displayName,'gCldIAG')"
}
But when I try to run the Access Import job I see from the logs it is not just scoping for the groups that match the filter, rather it is considering all the groups and the job keeps running for hours.
I verified the logs to see that the ENTITLEMENT_FILTER_JSON was recognized, but still it was importing all the groups.
04/26/2023 08:44 AM
Can you share the log snippet where you see the filter being recognized.
04/26/2023 10:15 PM
2023-04-27 02:18:10,620 [quartzScheduler_Worker-4] DEBUG integration.ExternalConnectionCallService - Key=accountfilter Value=
2023-04-27 02:18:10,620 [quartzScheduler_Worker-4] DEBUG integration.ExternalConnectionCallService - Key=import_config Value=
2023-04-27 02:18:10,620 [quartzScheduler_Worker-4] DEBUG integration.ExternalConnectionCallService - Key=ENTITLEMENT_FILTER_JSON Value={
"group_filter":"startswith(displayName,'gCldIAG')"
}
05/02/2023 12:13 PM
When you run the import job, you should see the below url. Can you check if it also includes the filter value that you have defined.
DEBUG generic.GenericProvisioningService - url: https://graph.microsoft.com/v1.0/groups?$select=id,displayName,description,mailEnabled,mail,mailNick...,'gCldIAG')
05/04/2023 12:46 AM
After the ENTITLEMENT_FILTER_JSON is recognized this is what I see in the logs.
It appears that it does not have have the filter in the URL.
2023-05-04 03:53:54,740 [quartzScheduler_Worker-1] DEBUG generic.GenericProvisioningService - url: https://graph.microsoft.com/v1.0/groups/delta?$select=id,displayName,description,mailEnabled,mail,ma...
remisesSyncEnabled,onPremisesLastSyncDateTime,onPremisesSecurityIdentifier,groupTypes,createdDateTime,resourceProvisioningOptions,members&$deltaToken=latest
05/04/2023 08:57 AM
Can you check if you have also defined any filter in the job trigger. If so, can you remove it and then run the job.
The filter criteria defined in the Application Data Import (Multithreaded) job trigger takes precedence over the criteria defined in the Add/Update Connections page.
05/04/2023 08:55 PM
we have nothing defined on the job trigger, the only filter we defined was at the connector level only.