Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Azure AD Access Import - Exclude an entitlement

Bharadwaj319
New Contributor III
New Contributor III

We configured Azure AD Access Import but it has been failing as one of the entitlement value is greater than 255 characters.

 [quartzScheduler_Worker-23] DEBUG generic.GenericProvisioningService - INFO ErEx: processAADGroupList:persistObjects : Data truncation: Data too long for column 'ENTITLEMENT_VALUE' at row 1

Is there a way I can exclude this particular entitlement in the ENTITLEMENT_FILTER_JSON config?

15 REPLIES 15

SB
Saviynt Employee
Saviynt Employee

The exclusion filter for Entitlement is currently not supported. But you can definitely raise this enhancement in Ideas portal. I would recommend if you could update the name of the entitlement in Target. 

 


Regards,
Sahil

Bharadwaj319
New Contributor III
New Contributor III

Can you provide me working sample of ENTITLEMENT_FILTER_JSON.
I see in the documentation there is a sample of this, but we are trying to understand the syntax of it to use it in a more efficient way.

https://docs.saviyntcloud.com/bundle/AzureAD-v55x/page/Content/Customizing-Entitlement-Import.htm#De...

Something that is mentioned on the below Forums for ACCOUNTS_FILTER.
https://forums.saviynt.com/t5/identity-governance/accounts-filter-issue/td-p/26209

I tried using the filter as suggested in the below forums link
https://forums.saviynt.com/t5/identity-governance/import-only-certain-groups-using-azure-ad-ootb-con...

But I receive the below error in the logs.

Bharadwaj319_0-1681831411882.png


If you can provide more information on precise syntax to use other Azure attributes in the filter conditions or more examples of how to use this config, it will be helpful.

{
		"group_filter":"startswith(displayname,'AZ')&$count=true"
	}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

I already tried using it as in the above mentioned post's link.
This is what I had in the access import job.

{
"importEntTypes": {
"AADGroup": {}
},
"ENTITLEMENT_FILTER_JSON": {
"group_filter":"startswith(displayname,'gCld')&$count=true"
}
}

But the job is failing with the below error. Am I missing something?

 

Error deleteAcctEntMappinggroovy.lang.MissingPropertyException: No such property: accentKey for class: com.saviynt.provisoning.azure.AzureADProvisioningService

This syntax is for one of the connection attribute supported in v2022.x onwards not in job json


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Do you mean "ENTITLEMENT_FILTER_JSON" is not even supported at connector level in versions prior to v2022.x?

@SB is this something you can confirm?

SB
Saviynt Employee
Saviynt Employee

The ENTITLEMENT_FILTER_JSON will be available at Connection level and you would not see this parameter in the unsupported versions. This was introduced from v2022.x and v5.5 SP3.13.x onwards.


Regards,
Sahil

Bharadwaj319
New Contributor III
New Contributor III

@SB we currently are in SP3.13 and within the Azure AD connector's ENTITLEMENT_FILTER_JSON I configured the below.

{
"group_filter":"startswith(displayName,'gCldIAG')"
}

But when I try to run the Access Import job I see from the logs it is not just scoping for the groups that match the filter, rather it is considering all the groups and the job keeps running for hours. 
I verified the logs to see that the ENTITLEMENT_FILTER_JSON was recognized, but still it was importing all the groups.

SB
Saviynt Employee
Saviynt Employee

Can you share the log snippet where you see the filter being recognized.


Regards,
Sahil

Bharadwaj319
New Contributor III
New Contributor III

2023-04-27 02:18:10,620 [quartzScheduler_Worker-4] DEBUG integration.ExternalConnectionCallService - Key=accountfilter Value=
2023-04-27 02:18:10,620 [quartzScheduler_Worker-4] DEBUG integration.ExternalConnectionCallService - Key=import_config Value=
2023-04-27 02:18:10,620 [quartzScheduler_Worker-4] DEBUG integration.ExternalConnectionCallService - Key=ENTITLEMENT_FILTER_JSON Value={
"group_filter":"startswith(displayName,'gCldIAG')"
}

SB
Saviynt Employee
Saviynt Employee

When you run the import job, you should see the below url. Can you check if it also includes the filter value that you have defined.

DEBUG generic.GenericProvisioningService - url: https://graph.microsoft.com/v1.0/groups?$select=id,displayName,description,mailEnabled,mail,mailNick...,'gCldIAG')


Regards,
Sahil

Bharadwaj319
New Contributor III
New Contributor III

After the ENTITLEMENT_FILTER_JSON is recognized this is what I see in the logs.
It appears that it does not have have the filter in the URL.

 

2023-05-04 03:53:54,740 [quartzScheduler_Worker-1] DEBUG generic.GenericProvisioningService - url: https://graph.microsoft.com/v1.0/groups/delta?$select=id,displayName,description,mailEnabled,mail,ma...
remisesSyncEnabled,onPremisesLastSyncDateTime,onPremisesSecurityIdentifier,groupTypes,createdDateTime,resourceProvisioningOptions,members&$deltaToken=latest

SB
Saviynt Employee
Saviynt Employee

Can you check if you have also defined any filter in the job trigger. If so, can you remove it and then run the job. 

The filter criteria defined in the Application Data Import (Multithreaded) job trigger takes precedence over the criteria defined in the Add/Update Connections page.


Regards,
Sahil

Bharadwaj319
New Contributor III
New Contributor III

we have nothing defined on the job trigger, the only filter we defined was at the connector level only.