Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/22/2024 09:51 AM
Since we ran the access reconciliation job on the ADSI connector, we've lost the link between the account and the entitlement is broken. Since this job was run, the account's entitlement hierarchy table is empty. Can you please help us understand why this happens and how to re-establish the entitlements on the entitlement hierarchy table?
05/22/2024 08:16 PM
This can be happened due to client credentials expiry. In order to restore run access /entitlement import again
05/23/2024 03:26 AM
The credentials have not expired, my connection is successfully established. The account reconciliation job works, as does account provisioning. It's just the access reconciliation job that suspends the link between the account and the entitlements, and my entitlement hierarchy table is empty.
05/23/2024 05:32 AM
here is the information contained in my STATUS_THRESHOLD_CONFIG and groupimportmapping
"statusColumn": "customproperty24",
"activeStatus": [
"512",
"544",
"66048"
],
"deleteLinks": false,
"accountThresholdValue": 10000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}
{
"importGroupHierarchy": "true",
"entitlementTypeName": "memberOf",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectclass=group)",
"mapping": "memberHash:member_char,customProperty1:samaccounttype_char,customProperty2:instancetype_char,customProperty3:usncreated_char,customProperty4:grouptype_char,customProperty5:dscorepropagationdata_char,customProperty12:dn_char,customProperty13:cn_char,lastscandate:whencreated_date,customProperty15:managedby_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customProperty9:name_char,customProperty10:objectcategory_char,customProperty11:samaccounttype_char,entitlement_value:distinguishedname_char,entitlementid:objectguid_char,customProperty14:objectclass_char,updatedate:whenchanged_date,customProperty17:distinguishedname_char,customProperty18:objectguid_char,RECONCILATION_FIELD:customProperty18"
}
05/23/2024 09:43 PM
Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .
‼️‼️⚠️Do not upload any attachments that contain sensitive information, such as IP Addresses, URLs, Company/Employee Names, Email Addresses, etc.⚠️‼️‼️
05/24/2024 02:33 AM
Hi @saoual
Could you please provide the logs of the job run when this happened? Please run access import again and see if the entitlement hierarchy is restored. Please collect the logs and share.
Regards,
Dhruv Sharma
05/24/2024 05:26 AM
Hi Dhruv,
Would it be possible for me to send you the logs by e-mail? Or can I upload screenshots?
I've re-run the job and the entitlements hierarchy is still empty.
Regards
05/24/2024 06:19 AM
You can attach logs here masking sensitive client information
‼️‼️⚠️Keep company-specific private information masked on public forums, such as the name and URL.⚠️‼️‼️
05/24/2024 08:48 AM
05/24/2024 06:47 AM
Please update below in ADSI connector configuration and retry access import. see if it works:
ENTITLEMENT_ATTRIBUTE | memberOf |
05/24/2024 08:49 AM
entitlement attribute is already at memberof
05/27/2024 01:21 AM
Hi @saoual
As per the logs,
EntitlementType 'memberof' for Endpoint 'ADSI_Test' found with EntitlementTypekey - 76"
Please use memberOf inENTITLEMENT_ATTRIBUTE
Difference is capital O. Please confirm if it works.
Regards,
Dhruv Sharma
05/27/2024 05:29 AM
Hello,
As requested I updated the entitlement_attribute to memberOf (with a capital O) but despite this change I still have the same problem since I saw here
that the memberof (the o is lowercase) so I updated the groupImportMapping with a memberof (lowercase o) but again the problem persists.
05/27/2024 05:48 AM
Hi Dhruv
Please share DEBUG logs of access import.
Note::Keep company-specific private information masked on public forums, such as the name and URL.
Regars
Sangita Ladi
05/27/2024 06:54 AM
05/28/2024 07:52 AM
Hello, Do you have a solution for my problem please?
05/28/2024 09:09 AM
I dont see any logs related to job except other error
services.SaviyntCommonUtilityService - Exception in getUsername"
"2024-05-27T13:02:53.269+00:00","ecm","","null-kr6rv","","2024-05-27T13:02:52.407599077Z stdout F java.lang.NullPointerException: Cannot get property 'firstname' on null object"
05/28/2024 01:41 PM
05/28/2024 09:40 PM
Hi @saoual
The logs don't have relevant information.
Could you please confirm if this was working earlier and broken now, or entitlement hierarchy never worked since new implementation? Was there any change done in JSONs/other configuration/upgrade?
Is the job even completing successfully?
Regards,
Dhruv Sharma
05/29/2024 12:11 AM
Hi,
The entitlement hierarchy was filled in previously, so when I assign a group to a user I find this entitlement in the account's entitlement hierarchy table, but as soon as the full access import job is executed, all entitlements are removed from the account's entitlement hierarchy table. The job had never been launched before, it was launched for a certain customer need and so each time it runs it empties the entitlement hierarchy table. When the job finishes running it is still successful.
Note that this is the ADSI connection
Regards
05/29/2024 01:07 AM
Hi @saoual
Could you please confirm if the associated entitlements are there and only hierarchy is removed?
How was the entitlement added to the account? Are they added in the target application and then imported, or they were provisioned from Saviynt side?
If they have been provisioned from Saviynt- can you please confirm if they are associated to the account on the target application end?
Regards,
Dhruv Sharma
05/29/2024 01:33 AM
Hi Dhruv,
1. Could you please confirm if the associated entitlements are there and only hierarchy is removed?
Answer: Yes, the associated entitlements are present on the target, only the hierarchy is deleted.
2. How was the entitlement added to the account? Are they added in the target application and then imported, or they were provisioned from Saviynt side?
Answer: For most rights, they were added by Saviynt.
3. If they have been provisioned from Saviynt- can you please confirm if they are associated to the account on the target application end?
Answer: Yes, I confirm that they are associated to the account on the target application end.
Regards
05/31/2024 04:19 AM
Hi @saoual
Please test with below JSON in groupimportmapping in lower environment. Let us know if it works. Revert the configuration if it doesn't populate the entitlement hierarchy.
{"importGroupHierarchy":"true","entitlementTypeName":"","performGroupAccountLinking":"true","groupObjectClass":"(objectclass=group)",
"mapping":"memberHash:memberof_char,customProperty1:samaccounttype_char,customProperty2:instancetype_char,customProperty3:usncreated_char,customProperty4:grouptype_char,customProperty5:dscorepropagationdata_char,customProperty12:dn_char,customProperty13:cn_char,lastscandate:whencreated_date,customProperty15:managedBy_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customProperty9:name_char,customProperty10:objectcategory_char,customProperty11:samaccounttype_char,entitlement_value:distinguishedname_char,entitlementid:distinguishedname_char,customProperty14:objectclass_char,updatedate:whenchanged_date,customProperty17:distinguishedname_char,RECONCILATION_FIELD:customProperty18,customProperty18:objectguid_char"}
Regards,
Dhruv Sharma
05/31/2024 06:39 AM
Hi Dhruv,
I did the test... the child account is set to “Suspended From Import” and the entitlement hierarchy is emptied on the parent account.
Regards
05/31/2024 07:36 AM
Hi @saoual
Please use the below JSON in groupimportmapping.
{
"importGroupHierarchy": "true",
"entitlementTypeName": "memberOf",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectclass=group)",
"mapping": "memberHash:member_char,customProperty1:samaccounttype_char,customProperty2:instancetype_char,customProperty3:usncreated_char,customProperty4:grouptype_char,customProperty5:dscorepropagationdata_char,customProperty12:dn_char,customProperty13:cn_char,lastscandate:whencreated_date,customProperty15:managedby_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customProperty9:name_char,customProperty10:objectcategory_char,customProperty11:samaccounttype_char,entitlement_value:distinguishedname_char,entitlementid:objectguid_binary,customProperty14:objectclass_char,updatedate:whenchanged_date,customProperty17:distinguishedname_char,customProperty18:objectguid_binary,RECONCILATION_FIELD:customProperty18"
}
05/31/2024 12:43 PM
I tried that too, but it didn't work.
06/02/2024 09:56 PM
Hi @saoual
Could you please share the logs for the same (Job Run) on the existing ticket.
Regards,
Dhruv Sharma