We ran into a new issue last weekend:
We're maintaining some AD child endpoint entitlement custom properties manually in Saviynt for controlling how the entitlement behaves in approval workflows and also for setting display name for the entitlement in case we want to use a different display name that is imported from AD.
AD connection groupImportMapping is also updating some entitlement custom properties but not the same ones that are maintained manually.
This has been working well, but during the last weekend all manually managed AD child endpoint entitlement custom properties were set as empty in production. The old values are still visible in entitlement history, but action to remove the value or overwrite it with an empty value isn't visible in entitlement history.
We were able to restore the values by searching the old values from entitlement_values_history table with a custom analytics report but still wondering why the custom property values were lost and how to troubleshoot the issue.
The VPN connection between Saviynt and AD broke down during the weekend, so there was a failed AD account full import job and a failed AD access full import job. I wonder if that can cause entitlement custom properties to be emptied, even though the custom properties are not updated by the AD connection.
