Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Duplicate entitlement

srikanth1202
New Contributor II
New Contributor II

‎05/01/2024 07:43 AM

HI Team,

if an Active Directory group with Account and the import process is run then duplicate entitlement being created. One is active and another one Inactive. 

Group creation steps: Group created and added account to that group manually in AD 

Job sequence: Its trigger chain job(Account and access import)

RECONCILATION_FIELD is RECONCILATION_FIELD:objectGUID_Binary.

entitlementid mapping is entitlementid:sAMAccountName_char but I also tried with DN, objectGUID

performGroupAccountLinking : tried with true and false 

Below is the Group Import Mapping: 

{
"importGroupHierarchy": "false",
"performGroupAccountLinking": "true",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"mapping": "memberHash:member_char,entitlement_glossary:description_char,entitlement_value:sAMAccountName_char,entitlementid:sAMAccountName_char,lastscandate:whenCreated_date,displayname:cn_char,updatedate:whenChanged_date,customProperty1:sAMAccountType_char,customProperty2:instanceType_char,customProperty4:groupType_char,customProperty9:name_char,customProperty10:objectCategory_char,customProperty11:sAMAccountName_char,customProperty12:distinguishedName_char,customProperty13:cn_char,customProperty14:objectClass_char,customProperty15:managedBy_char,customProperty19:objectGUID_Binary,customProperty22:objectSid_Binary,customProperty21:info_char,customProperty5:languageCode_char,customProperty6:language_char,customproperty29:extensionAttribute1_num,customproperty27:extensionAttribute2_num,RECONCILATION_FIELD:objectGUID_Binary",
"activeGroupPossibleValues": [
"Active",
"a",
"l",
"TRUE"
]
}

 

I have gone through this link but no luck. 

https://forums.saviynt.com/t5/identity-governance/duplicate-entitlement/m-p/24152#M12462 

Labels:
0 Kudos
15 REPLIES 15

Saathvik
All-Star
All-Star

‎05/01/2024 09:01 AM

@srikanth1202 : Change the entitlementID mapping to distinguishedName and see if the issue persists like below

entitlementid:distinguishedName_char

 If issue persists can you please share the entitlementID values of one group for both Active and Inactive by masking sensitive details


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/01/2024 10:14 AM

Thank you for checking. 

 

I tried with below but no luck

entitlementid:distinguishedName_char

 

srikanth1202_0-1714583664014.png

 

0 Kudos

Saathvik
All-Star
All-Star
In response to srikanth1202

‎05/01/2024 10:44 AM - edited ‎05/01/2024 10:47 AM

@srikanth1202 : Is blank one is coming from Account Import? Also can you confirm the Sequence?

You are running trigger chain and in that 

  • 1st Account
  • 2nd Access Import right?

If so out both which is Active vs Inactive(Blank EntID one or other?)


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/01/2024 11:42 AM

 Is blank one is coming from Account Import? Also can you confirm the Sequence?

Yes. It is coming from Account import. 

You are running trigger chain and in that 

  • 1st Account
  • 2nd Access Import right?

That's correct

If so out both which is Active vs Inactive(Blank EntID one or other?)

Both Ent's are are in active state. 

 

0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/01/2024 11:50 AM

Duplicate entitlement is creating even I run Access import alone. 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to srikanth1202

‎05/01/2024 02:34 PM

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.
0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/03/2024 07:50 AM

Sure. 

I don't see any error. 

Here are the logs: 

2024-05-03T10:38:20-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-Query to insert/update into ENTITLEMENT_VALUES: INSERT INTO ENTITLEMENT_VALUES SET ORPHAN=0,SOX_CRITICAL=0,SYS_CRITICAL=0,JOB_ID=99227,STATUS=1,ENTITLEMENT_VALUE='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',ENTITLEMENTTYPEKEY=13 on duplicate key update JOB_ID=99227,STATUS=1 ,ENTITLEMENT_VALUE='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com'
2024-05-03T10:38:16-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-entValueADAttributeValue= GroupImportTest5
2024-05-03T10:38:16-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-reconcilationADAttributeValue= GroupImportTest5
2024-05-03T10:38:16-04:00-ecm-worker-services.AdImportService-quartzScheduler_Worker-9-6m9lr-DEBUG-Query to insert/update into ENTITLEMENT_VALUES: INSERT INTO ENTITLEMENT_VALUES SET ORPHAN=0,SOX_CRITICAL=0,SYS_CRITICAL=0,JOB_ID=99227,STATUS=1,customproperty4='-2147483646',customproperty10='CN=Group,CN=Schema,CN=Configuration,DC=XXXX,DC=com',customproperty5=null,customproperty2='4',customproperty12='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty11='GroupImportTest5',customproperty1='268435456',customproperty19='9f062ee7-9839-4394-95d6-06965a8759ed',customproperty14='top,group',lastscandate='2024-05-03 14:27:24',customproperty13='GroupImportTest5',entitlement_glossary=null,customproperty15=null,updatedate='2024-05-03 14:27:40',entitlement_value='GroupImportTest5',customproperty9='GroupImportTest5',customproperty6=null,customproperty21=null,customproperty22='S-1-5-21-3588672247-3186038017-4129633141-7113',entitlementid='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty29=null,customproperty27=null,displayname='GroupImportTest5',ENTITLEMENTTYPEKEY=13 on duplicate key update JOB_ID=99227,STATUS=1 ,customproperty4='-2147483646',customproperty10='CN=Group,CN=Schema,CN=Configuration,DC=XXXX,DC=com',customproperty5=null,customproperty2='4',customproperty12='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty11='GroupImportTest5',customproperty1='268435456',customproperty19='9f062ee7-9839-4394-95d6-06965a8759ed',customproperty14='top,group',lastscandate='2024-05-03 14:27:24',customproperty13='GroupImportTest5',entitlement_glossary=null,customproperty15=null,updatedate='2024-05-03 14:27:40',entitlement_value='GroupImportTest5',customproperty9='GroupImportTest5',customproperty6=null,customproperty21=null,customproperty22='S-1-5-21-3588672247-3186038017-4129633141-7113',entitlementid='CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com',customproperty29=null,customproperty27=null,displayname='GroupImportTest5'

 

0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/03/2024 07:58 AM


2024-05-03T10:50:51-04:00-ecm--null-nxxmf--AND ENTITLEMENT_VALUEKEY=207639
2024-05-03T10:50:51-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )
2024-05-03T10:50:51-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 ) params = [max: 5, offset: 0]
2024-05-03T10:50:50-04:00-ecm-workflow.WorkflowmanagementController-http-nio-8080-exec-345-nxxmf-DEBUG-Executing count query SELECT count(*) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )
2024-05-03T10:50:50-04:00-ecm-controllers.RolesController-http-nio-8080-exec-349-nxxmf-DEBUG-Query to get roles: Select rl from Roles rl WHERE rl.status in (0,1,2,3,4,5,-11) AND rl.id not in(SELECT distinct re.rolekey FROM Role_entitlements re where re.entitlement_valuekey = 207639) AND 1=1
2024-05-03T10:39:53-04:00-ecm-controllers.RolesController-http-nio-8080-exec-340-nxxmf-DEBUG-Query to get roles: Select rl from Roles rl WHERE rl.status in (0,1,2,3,4,5,-11) AND rl.id not in(SELECT distinct re.rolekey FROM Role_entitlements re where re.entitlement_valuekey = 207639) AND 1=1
2024-05-03T10:39:54-04:00-ecm--null-nxxmf--AND ENTITLEMENT_VALUEKEY=207639
2024-05-03T10:39:54-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )
2024-05-03T10:39:54-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 ) params = [max: 5, offset: 0]
2024-05-03T10:39:53-04:00-ecm-workflow.WorkflowmanagementController-http-nio-8080-exec-349-nxxmf-DEBUG-Executing count query SELECT count(*) from Entitlement_values ev where ev.id != 207639 and ( 1 = 1 )

========

2024-05-03T10:50:51-04:00-ecm-controllers.RolesController-http-nio-8080-exec-340-nxxmf-DEBUG-Query to get roles: Select rl from Roles rl WHERE rl.status in (0,1,2,3,4,5,-11) AND rl.id not in(SELECT distinct re.rolekey FROM Role_entitlements re where re.entitlement_valuekey = 207640) AND 1=1
2024-05-03T10:50:52-04:00-ecm--null-nxxmf--AND ENTITLEMENT_VALUEKEY=207640
2024-05-03T10:50:52-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207640 and ( 1 = 1 )
2024-05-03T10:50:52-04:00-ecm--null-nxxmf--ev.customproperty1 as customproperty1) from Entitlement_values ev where ev.id != 207640 and ( 1 = 1 ) params = [max: 5, offset: 0]
2024-05-03T10:50:51-04:00-ecm-workflow.WorkflowmanagementController-http-nio-8080-exec-333-nxxmf-DEBUG-Executing count query SELECT count(*) from Entitlement_values ev where ev.id != 207640 and ( 1 = 1 )
2024-05-03T10:38:24-04:00-ecm-worker--null-6m9lr--VALUES (27650,207640,'2024-05-03 14:38:20',99227) ON DUPLICATE KEY UPDATE

 

===


ENTITLEMENT_VALUE 'GroupImportTest5' of key : 207639

ENTITLEMENT_VALUE 'CN=GroupImportTest5,OU=EICTest,DC=XXXX,DC=com' of key : 207640

0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/06/2024 09:32 AM

Any thoughts !!

0 Kudos

Raghu
All-Star
All-Star
In response to srikanth1202

‎05/06/2024 09:41 AM

@srikanth1202  try below any luck

{
"entitlementTypeName": "memberOf",
"performGroupAccountLinking": "false",
"groupObjectClass":"(objectclass=group)",
"mapping":"customProperty1:sAMAccountName_char,entitlement_value:distinguishedName_char,lastscandate:whenCreated_date,CUSTOMPROPERTY7:managedBy_char,CUSTOMPROPERTY10:extensionAttribute3_char,entitlementid:objectGUID_Binary,RECONCILATION_FIELD:entitlementid"
}


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.
0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/06/2024 10:44 AM

no luck

0 Kudos

Saathvik
All-Star
All-Star
In response to srikanth1202

‎05/06/2024 11:27 AM

@srikanth1202 : At this point I assume duplicate entitlement with blank EntitlementID is coming from Account Import when group is not yet brought to saviynt by Access Import. Now if you run only Access Import directly (Don't run trigger chain) then it should disable all entitlements which have blank EntitlementID. If that happens then just change your order to run Access Import first and then Account Import.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/06/2024 11:37 AM

Even I tried only running access import, it is happening when group is moved from OU to another OU

0 Kudos

srikanth1202
New Contributor II
New Contributor II

‎05/06/2024 11:39 AM

Here major concern is duplicate Entitlement creation irrespective of the Entitlement status

0 Kudos

Saathvik
All-Star
All-Star
In response to srikanth1202

‎05/06/2024 11:56 AM - edited ‎05/06/2024 11:56 AM

@srikanth1202 : if you change the entitlementID mapping / recon field mapping it is expected to have new entries and old entries will be in disabled state. Please use one format and test your original issue.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos
Copyright © 2024 Khoros, LLC