Saviynt Forums

The credentials have not expired, my connection is successfully established. The account reconciliation job works, as does account provisioning. It's just the access reconciliation job that suspends the link between the account and the entitlements, and my entitlement hierarchy table is empty.

here is the information contained in my STATUS_THRESHOLD_CONFIG and groupimportmapping

"statusColumn": "customproperty24",
"activeStatus": [
"512",
"544",
"66048"
],
"deleteLinks": false,
"accountThresholdValue": 10000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}

{
"importGroupHierarchy": "true",
"entitlementTypeName": "memberOf",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectclass=group)",
"mapping": "memberHash:member_char,customProperty1:samaccounttype_char,customProperty2:instancetype_char,customProperty3:usncreated_char,customProperty4:grouptype_char,customProperty5:dscorepropagationdata_char,customProperty12:dn_char,customProperty13:cn_char,lastscandate:whencreated_date,customProperty15:managedby_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customProperty9:name_char,customProperty10:objectcategory_char,customProperty11:samaccounttype_char,entitlement_value:distinguishedname_char,entitlementid:objectguid_char,customProperty14:objectclass_char,updatedate:whenchanged_date,customProperty17:distinguishedname_char,customProperty18:objectguid_char,RECONCILATION_FIELD:customProperty18"
}

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .



‼️‼️⚠️Do not upload any attachments that contain sensitive information, such as IP Addresses, URLs, Company/Employee Names, Email Addresses, etc.⚠️‼️‼️

Hi @saoual 

Could you please provide the logs of the job run when this happened? Please run access import again and see if the entitlement hierarchy is restored. Please collect the logs and share.

Regards,

Dhruv Sharma

Hi Dhruv,

Would it be possible for me to send you the logs by e-mail? Or can I upload screenshots?
I've re-run the job and the entitlements hierarchy is still empty.

Regards

You can attach logs here masking sensitive client information 

‼️‼️⚠️Keep company-specific private information masked on public forums, such as the name and URL.⚠️‼️‼️

please find below the requested logs

entitlement attribute is already at memberof

Hi @saoual 

As per the logs, 

EntitlementType 'memberof' for Endpoint 'ADSI_Test' found with EntitlementTypekey - 76"

Please use memberOf inENTITLEMENT_ATTRIBUTE

Difference is capital O. Please confirm if it works.

Regards,

Dhruv Sharma

Hello,
As requested I updated the entitlement_attribute to memberOf (with a capital O) but despite this change I still have the same problem since I saw here

that the memberof (the o is lowercase) so I updated the groupImportMapping with a memberof (lowercase o) but again the problem persists.

Hi Dhruv

Please share DEBUG logs of access import.

Note::Keep company-specific private information masked on public forums, such as the name and URL.

Regars

Sangita Ladi

Hello, here are the logs

Hello, Do you have a solution for my problem please?

I dont see any logs related to job except other error 

services.SaviyntCommonUtilityService - Exception in getUsername"
"2024-05-27T13:02:53.269+00:00","ecm","","null-kr6rv","","2024-05-27T13:02:52.407599077Z stdout F java.lang.NullPointerException: Cannot get property 'firstname' on null object"

Hi, yes indeed there is nothing in the logs... I restarted the job and this is all I got as an attachment.

Hi @saoual 

The logs don't have relevant information. 

Could you please confirm if this was working earlier and broken now, or entitlement hierarchy never worked since new implementation?  Was there any change done in JSONs/other configuration/upgrade?

Is the job even completing successfully?

Regards,

Dhruv Sharma

Hi,

The entitlement hierarchy was filled in previously, so when I assign a group to a user I find this entitlement in the account's entitlement hierarchy table, but as soon as the full access import job is executed, all entitlements are removed from the account's entitlement hierarchy table. The job had never been launched before, it was launched for a certain customer need and so each time it runs it empties the entitlement hierarchy table. When the job finishes running it is still successful.
Note that this is the ADSI connection

Regards

Hi @saoual 

Could you please confirm if the associated entitlements are there and only hierarchy is removed?

How was the entitlement added to the account? Are they added in the target application and then imported, or they were provisioned from Saviynt side?

If they have been provisioned from Saviynt- can you please confirm if they are associated to the account on the target application end?

Regards,

Dhruv Sharma

Hi Dhruv,

1. Could you please confirm if the associated entitlements are there and only hierarchy is removed?

Answer: Yes, the associated entitlements are present on the target, only the hierarchy is deleted.

2. How was the entitlement added to the account? Are they added in the target application and then imported, or they were provisioned from Saviynt side?

Answer:  For most rights, they were added by Saviynt. 

3. If they have been provisioned from Saviynt- can you please confirm if they are associated to the account on the target application end?

Answer: Yes, I confirm that they are associated to the account on the target application end.

Regards

Hi @saoual 

Please test with below JSON in groupimportmapping in lower environment.  Let us know if it works. Revert the configuration if it doesn't populate the entitlement hierarchy.

{"importGroupHierarchy":"true","entitlementTypeName":"","performGroupAccountLinking":"true","groupObjectClass":"(objectclass=group)",

"mapping":"memberHash:memberof_char,customProperty1:samaccounttype_char,customProperty2:instancetype_char,customProperty3:usncreated_char,customProperty4:grouptype_char,customProperty5:dscorepropagationdata_char,customProperty12:dn_char,customProperty13:cn_char,lastscandate:whencreated_date,customProperty15:managedBy_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customProperty9:name_char,customProperty10:objectcategory_char,customProperty11:samaccounttype_char,entitlement_value:distinguishedname_char,entitlementid:distinguishedname_char,customProperty14:objectclass_char,updatedate:whenchanged_date,customProperty17:distinguishedname_char,RECONCILATION_FIELD:customProperty18,customProperty18:objectguid_char"}

Regards,

Dhruv Sharma

Hi Dhruv,
I did the test... the child account is set to “Suspended From Import” and the entitlement hierarchy is emptied on the parent account.

Regards

Hi @saoual 

Please use the below JSON in groupimportmapping.

{
"importGroupHierarchy": "true",
"entitlementTypeName": "memberOf",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectclass=group)",
"mapping": "memberHash:member_char,customProperty1:samaccounttype_char,customProperty2:instancetype_char,customProperty3:usncreated_char,customProperty4:grouptype_char,customProperty5:dscorepropagationdata_char,customProperty12:dn_char,customProperty13:cn_char,lastscandate:whencreated_date,customProperty15:managedby_char,entitlement_glossary:description_char,description:description_char,displayname:name_char,customProperty9:name_char,customProperty10:objectcategory_char,customProperty11:samaccounttype_char,entitlement_value:distinguishedname_char,entitlementid:objectguid_binary,customProperty14:objectclass_char,updatedate:whenchanged_date,customProperty17:distinguishedname_char,customProperty18:objectguid_binary,RECONCILATION_FIELD:customProperty18"
}

I tried that too, but it didn't work.

Hi @saoual 

Could you please share the logs for the same (Job Run) on the existing ticket.

Regards,

Dhruv Sharma