Saviynt Forums

ShaneHSCor · ‎09/26/2024

Hi All,

We are experiencing a large issue where the full incremental import is taking over 16 hours.

Looking to the community for solutions that have been used regarding the ENTITLEMENT_FILTER_JSON

Believe we could reduce the time by filtering out some of the objects - do not want to do it in the custom job. Please share what strategies you all have been using. Has anyone use multi threaded successfully?

rushikeshvartak · ‎09/26/2024

Below are samples

{ "group_filter":"startswith('Azure-Security-PIM-',displayName ) or startswith('xx-MS-Team-Test-Group-',displayName) or displayName eq 'azure-group-awstest_production_851619321778_securityreader_global' or displayName eq 'TestApp' &$count=true"}

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ShaneHSCor · ‎09/26/2024

Thank you rushikeshvartak - from your example it looks like it's a comma delimited list of filters surrounded by curly brackets. That is helpful 🙂

In our situation, instead of a string match filter, we are looking to create a filter that would restrict the entitlement types at the graph query level before it is parsed via the JSON. The data we are returning from graph is taking an immense amount of time.

Also - has anyone run this as a multi-threaded job?

NM · ‎09/26/2024

Hi @ShaneHSCor as per saviynt doc suggestions it should be single threaded only(5.5 version) so we went ahead with that only ..

But for rest we are using multi threaded

If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

rushikeshvartak · ‎09/26/2024

We add using multi threaded job with thread as 17 counf

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ShaneHSCor · ‎09/26/2024

Multithreaded with a low thread count is attractive - I do the same when running powershell against the graph.

Has anyone created a filter that would restrict the entitlement types at the graph query level before it is parsed via the JSON?

rushikeshvartak · ‎09/26/2024

Yes we have used below job level custom access filters to just pull aadgroups

{
"importEntTypes": {
"AADGroup": {}
},
"excludeEntTypes": {
"ApplicationInstance": {},
"DirectoryRole": {},
"Subscription": {},
"Application": {},
"DirectoryRoleMember": {},
"SKU": {},
"ServicePlans": {},

"Team": {},
"Channel": {},
"MemberPermission": {},
"GuestPermission": {}
}
}

refer https://docs.saviyntcloud.com/bundle/AzureAD-v24x/page/Content/Customizing-Entitlement-Import.htm

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ShaneHSCor · ‎09/26/2024

Hi @rushikeshvartak - have you confirmed this hits the root graph query and not just select what is parsed as entitlement values?

rushikeshvartak · ‎09/26/2024

Yes we are using for 3 Azure AD connection for client

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ShaneHSCor · ‎09/27/2024

Thank you- we will try the following filter that has a few more:

Custom Import Config Job Filter

{
"importEntTypes": {
"AADGroup": {},
"Team": {}
},

"excludeEntTypes": {
"ApplicationInstance": {},
"DirectoryRole": {},
"Oauth2Permission": {},
"AppRole": {},
"Application": {},
"SKU": {},
"ServicePlans": {},
"Channel": {},
"MemberPermission": {},
"GuestPermission": {}
}
}

Saviynt Forums

AzureAD ENTITLEMENT_FILTER_JSON Documentation