Saviynt Forums

sreehariv · ‎02/16/2023

Hello Team,

There has been lot of duplicate entries got created for Azure AD Entitlements post recon in all of our environments (Dev, Test, Prod). When we try to upload owners through csv it was not updating the active entitlement record. We have checked in the database and found that there are lot of duplicates (in thousands) with inactive status.

Below is the Azure AD Entitlement Attribute Mapping.

{
"entitlementAttribute": {
"AADGroup": {
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "displayName~#~char",
"customproperty14": "mailEnabled~#~char",
"customproperty23": "deletionTimestamp~#~char",
"description": "description~#~char",
"customproperty25": "dirSyncEnabled~#~char",
"customproperty26": "lastDirSyncTime~#~char",
"customproperty27": "mail~#~char",
"customproperty28": "mailEnabled~#~char",
"customproperty29": "onPremisesSecurityIdentifier~#~char",
"customproperty30": "securityEnabled~#~char",
"customproperty31": "groupTypes~#~listAsString",
"customproperty32": "membershipRule~#~char",
"customproperty33": "membershipRuleProcessingState~#~char",
"customproperty34": "resourceProvisioningOptions~#~char"
}
}
}
}

The reason why we mapped customproperty14 is that it is giving data truncate error when we try to import owners. So for a time being and workaround we have mapped mailEnabled as it was just a boolean flag.

Does this causing the duplicate entitlements to be created?. If this was the case we don't even have cuustomproperty14 in entitlement attribute json in prod but still prod has inactive entitlments in large number.

In prod only single access recon executed and can see the no. of existing Azure AD Groups count which is different to what we can see under entitlements tab for the same endpoint.

not only prod, it was the same case in all the environments.

We were not able to identify we this inactive entitlements duplicate entries got created. Due to this we were not able to load the owners for the active entitlements as it was not updating the right one.

is there a way to delete these entitlements?

Why this issue happened?

how does saviynt determining the status of an entitlement? is it based on some customproperty or attribute? we didn't see anything related to this in forum or freshdesk docs for connector.

Thanks

Sreehari

SB · ‎02/16/2023

Can you confirm if the duplicate Entitlements are getting created with every import that you run?

Also, what are the values you have defined under STATUS_THRESHOLD_CONFIG?

Regards,
Sahil

sreehariv · ‎02/16/2023

Hello Sahil,

I can see total 27504 records as entitlements under endpoint.

When we check the duplicates through analytics we found 11695 are having duplicates.

Out of 11504 are having 2 each and 101 are having 3 each and 20 of them are 4 each like this way.

I am not sure if it is creating duplicates every run but we can see that its not creating duplicates for every run as i can see we ran this recon since December multiple times.

We haven't configured anything under STATUS_THRESHOLD_CONFIG for this one.

Thanks

Sreehari

SB · ‎02/17/2023

There is a possibility that the job might be failing to import part of the entitlements at times which inactives them. These entitlements are getting created again when the job runs next time and is able to pull all of them.

Can you please create a ticket with the Support team as this would need to be analyzed further to identify the cause.

Regards,
Sahil

rushikeshvartak · ‎02/19/2023

There is no dependency on cp14. What is job type in production. Does entitlement having Job_id ?

Making entitlement inactive is based on job id , if latest import job does not bring entitlement then it will make rest of entitlement inactive

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Saviynt Forums

Duplicate records for Azure AD AADGroup Entitlements with inactive status