Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/01/2024 07:43 AM
HI Team,
if an Active Directory group with Account and the import process is run then duplicate entitlement being created. One is active and another one Inactive.
Group creation steps: Group created and added account to that group manually in AD
Job sequence: Its trigger chain job(Account and access import)
RECONCILATION_FIELD is RECONCILATION_FIELD:objectGUID_Binary.
entitlementid mapping is entitlementid:sAMAccountName_char but I also tried with DN, objectGUID
performGroupAccountLinking : tried with true and false
Below is the Group Import Mapping:
{
"importGroupHierarchy": "false",
"performGroupAccountLinking": "true",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"mapping": "memberHash:member_char,entitlement_glossary:description_char,entitlement_value:sAMAccountName_char,entitlementid:sAMAccountName_char,lastscandate:whenCreated_date,displayname:cn_char,updatedate:whenChanged_date,customProperty1:sAMAccountType_char,customProperty2:instanceType_char,customProperty4:groupType_char,customProperty9:name_char,customProperty10:objectCategory_char,customProperty11:sAMAccountName_char,customProperty12:distinguishedName_char,customProperty13:cn_char,customProperty14:objectClass_char,customProperty15:managedBy_char,customProperty19:objectGUID_Binary,customProperty22:objectSid_Binary,customProperty21:info_char,customProperty5:languageCode_char,customProperty6:language_char,customproperty29:extensionAttribute1_num,customproperty27:extensionAttribute2_num,RECONCILATION_FIELD:objectGUID_Binary",
"activeGroupPossibleValues": [
"Active",
"a",
"l",
"TRUE"
]
}
I have gone through this link but no luck.
https://forums.saviynt.com/t5/identity-governance/duplicate-entitlement/m-p/24152#M12462
05/01/2024 09:01 AM
@srikanth1202 : Change the entitlementID mapping to distinguishedName and see if the issue persists like below
entitlementid:distinguishedName_char
If issue persists can you please share the entitlementID values of one group for both Active and Inactive by masking sensitive details
05/01/2024 10:14 AM
Thank you for checking.
I tried with below but no luck
entitlementid:distinguishedName_char
05/01/2024 10:44 AM - edited 05/01/2024 10:47 AM
@srikanth1202 : Is blank one is coming from Account Import? Also can you confirm the Sequence?
You are running trigger chain and in that
If so out both which is Active vs Inactive(Blank EntID one or other?)
05/01/2024 11:42 AM
Is blank one is coming from Account Import? Also can you confirm the Sequence?
Yes. It is coming from Account import.
You are running trigger chain and in that
That's correct
If so out both which is Active vs Inactive(Blank EntID one or other?)
Both Ent's are are in active state.
05/01/2024 11:50 AM
Duplicate entitlement is creating even I run Access import alone.
05/01/2024 02:34 PM
Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .
05/03/2024 07:50 AM
Sure.
I don't see any error.
Here are the logs:
2024-05-03T10:38:20-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-Query to insert/update into ENTITLEMENT_VALUES: INSERT INTO ENTITLEMENT_VALUES SET ORPHAN=0,SOX_CRITICAL=0,SYS_CRITICAL=0,JOB_ID=99227,STATUS=1,ENTITLEMENT_VALUE='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',ENTITLEMENTTYPEKEY=13 on duplicate key update JOB_ID=99227,STATUS=1 ,ENTITLEMENT_VALUE='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com'
2024-05-03T10:38:16-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-entValueADAttributeValue= GroupImportTest5
2024-05-03T10:38:16-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-reconcilationADAttributeValue= GroupImportTest5
2024-05-03T10:38:16-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-Query to insert/update into ENTITLEMENT_VALUES: INSERT INTO ENTITLEMENT_VALUES SET ORPHAN=0,SOX_CRITICAL=0,SYS_CRITICAL=0,JOB_ID=99227,STATUS=1,customproperty4='-2147483646',customproperty10='CN=Group,CN=Schema,CN=Configuration,DC=XXXX,DC=com',customproperty5=null,customproperty2='4',customproperty12='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty11='GroupImportTest5',customproperty1='268435456',customproperty19='9f062ee7-9839-4394-95d6-06965a8759ed',customproperty14='top,group',lastscandate='2024-05-03 14:27:24',customproperty13='GroupImportTest5',entitlement_glossary=null,customproperty15=null,updatedate='2024-05-03 14:27:40',entitlement_value='GroupImportTest5',customproperty9='GroupImportTest5',customproperty6=null,customproperty21=null,customproperty22='S-1-5-21-3588672247-3186038017-4129633141-7113',entitlementid='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty29=null,customproperty27=null,displayname='GroupImportTest5',ENTITLEMENTTYPEKEY=13 on duplicate key update JOB_ID=99227,STATUS=1 ,customproperty4='-2147483646',customproperty10='CN=Group,CN=Schema,CN=Configuration,DC=XXXX,DC=com',customproperty5=null,customproperty2='4',customproperty12='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty11='GroupImportTest5',customproperty1='268435456',customproperty19='9f062ee7-9839-4394-95d6-06965a8759ed',customproperty14='top,group',lastscandate='2024-05-03 14:27:24',customproperty13='GroupImportTest5',entitlement_glossary=null,customproperty15=null,updatedate='2024-05-03 14:27:40',entitlement_value='GroupImportTest5',customproperty9='GroupImportTest5',customproperty6=null,customproperty21=null,customproperty22='S-1-5-21-3588672247-3186038017-4129633141-7113',entitlementid='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty29=null,customproperty27=null,displayname='GroupImportTest5'
05/03/2024 07:58 AM
2024-05-03T10:50:51-04:00-ecm--null-nxxmf--AND ENTITLEMENT_VALUEKEY=207639
2024-05-03T10:50:51-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )
2024-05-03T10:50:51-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 ) params = [max: 5, offset: 0]
2024-05-03T10:50:50-04:00-ecm-workflow.WorkflowmanagementController-http-nio-8080-exec-345-nxxmf-DEBUG-Executing count query SELECT count(*) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )
2024-05-03T10:50:50-04:00-ecm-controllers.RolesController-http-nio-8080-exec-349-nxxmf-DEBUG-Query to get roles: Select rl from Roles rl WHERE rl.status in (0,1,2,3,4,5,-11) AND rl.id not in(SELECT distinct re.rolekey FROM Role_entitlements re where re.entitlement_valuekey = 207639) AND 1=1
2024-05-03T10:39:53-04:00-ecm-controllers.RolesController-http-nio-8080-exec-340-nxxmf-DEBUG-Query to get roles: Select rl from Roles rl WHERE rl.status in (0,1,2,3,4,5,-11) AND rl.id not in(SELECT distinct re.rolekey FROM Role_entitlements re where re.entitlement_valuekey = 207639) AND 1=1
2024-05-03T10:39:54-04:00-ecm--null-nxxmf--AND ENTITLEMENT_VALUEKEY=207639
2024-05-03T10:39:54-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )
2024-05-03T10:39:54-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 ) params = [max: 5, offset: 0]
2024-05-03T10:39:53-04:00-ecm-workflow.WorkflowmanagementController-http-nio-8080-exec-349-nxxmf-DEBUG-Executing count query SELECT count(*) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )
========
2024-05-03T10:50:51-04:00-ecm-controllers.RolesController-http-nio-8080-exec-340-nxxmf-DEBUG-Query to get roles: Select rl from Roles rl WHERE rl.status in (0,1,2,3,4,5,-11) AND rl.id not in(SELECT distinct re.rolekey FROM Role_entitlements re where re.entitlement_valuekey = 207640) AND 1=1
2024-05-03T10:50:52-04:00-ecm--null-nxxmf--AND ENTITLEMENT_VALUEKEY=207640
2024-05-03T10:50:52-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207640 and ( 1 = 1 )
2024-05-03T10:50:52-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207640 and ( 1 = 1 ) params = [max: 5, offset: 0]
2024-05-03T10:50:51-04:00-ecm-workflow.WorkflowmanagementController-http-nio-8080-exec-333-nxxmf-DEBUG-Executing count query SELECT count(*) from Entitlement_values ev where ev.id != 207640 and ( 1 = 1 )
2024-05-03T10:38:24-04:00-ecm-worker--null-6m9lr--VALUES (27650,207640,'2024-05-03 14:38:20',99227) ON DUPLICATE KEY UPDATE
===
ENTITLEMENT_VALUE 'GroupImportTest5' of key : 207639
ENTITLEMENT_VALUE 'CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com' of key : 207640
05/06/2024 09:32 AM
Any thoughts !!
05/06/2024 09:41 AM
@srikanth1202 try below any luck
{
"entitlementTypeName": "memberOf",
"performGroupAccountLinking": "false",
"groupObjectClass":"(objectclass=group)",
"mapping":"customProperty1:sAMAccountName_char,entitlement_value:distinguishedName_char,lastscandate:whenCreated_date,CUSTOMPROPERTY7:managedBy_char,CUSTOMPROPERTY10:extensionAttribute3_char,entitlementid:objectGUID_Binary,RECONCILATION_FIELD:entitlementid"
}
05/06/2024 10:44 AM
no luck
05/06/2024 11:27 AM
@srikanth1202 : At this point I assume duplicate entitlement with blank EntitlementID is coming from Account Import when group is not yet brought to saviynt by Access Import. Now if you run only Access Import directly (Don't run trigger chain) then it should disable all entitlements which have blank EntitlementID. If that happens then just change your order to run Access Import first and then Account Import.
05/06/2024 11:37 AM
Even I tried only running access import, it is happening when group is moved from OU to another OU
05/06/2024 11:39 AM
Here major concern is duplicate Entitlement creation irrespective of the Entitlement status
05/06/2024 11:56 AM - edited 05/06/2024 11:56 AM
@srikanth1202 : if you change the entitlementID mapping / recon field mapping it is expected to have new entries and old entries will be in disabled state. Please use one format and test your original issue.