Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

entitlementThresholdValue limit exceeded

Paul_Meyer
Regular Contributor
Regular Contributor

‎05/17/2023 07:36 AM

For an full access recon job, the following error is encountered:

entitlementThresholdValue limit exceeded. No changes has been imported from Recon.

I cannot find any reference to "entitlementThresholdValue" in product documentation.

Any ideas where this setting should be configured?

Labels:
0 Kudos
16 REPLIES 16

SB
Saviynt Employee
Saviynt Employee

‎05/17/2023 11:08 AM

This config can either be defined under STATUS_THRESHOLD_CONFIG parameter or statusAndThresholdConfig variable specified in the ImportAccountEntJSON parameters.

Below is a sample of the config for reference and you can find it in the documentation by entThresholdValue keyword

{
"statusAndThresholdConfig": {
"accountThresholdValue": 100,
"inactivateAccountsNotInFile": true,
"statusColumn": "customproperty30",
"activeStatus": [
"ENABLE",
"PROVISIONED"
],
"inactivateEntsNotInFeed": true,
"entThresholdValue": {
"entType": {
"Group": {
"ent": 100
},
"Role": {
"ent": 100
}
}
}
}
}


Regards,
Sahil
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor

‎05/18/2023 01:10 AM - edited ‎05/18/2023 01:23 AM

@SB 

Using the following STATUS_THRESHOLD_CONFIG, with silly numbers, still gives the same error:

 

 

{
	"statusAndThresholdConfig": {
		"accountThresholdValue": 10000000,
		"entThresholdValue": {
			"entType": {
				"Organizations": {
					"ent": 10000000
				},
				"Roles": {
					"ent": 10000000
				}
			}
		},
		"inactivateAccountsNotInFile": true,
		"statusColumn": "customproperty10",
		"activeStatus": [
			"true"
		],
		"inactivateEntsNotInFeed": true,
		"correlateInactiveAccounts": true,
		"deleteAccEntForActiveAccounts": false,
		"deleteLinks": true
	}
}

 

Managed to find some log entries referring to "entTypeThreshold". Seems like there is a disconnect between the setting names used in the config and what the associated name is actually used in logs.

 

0 Kudos

SB
Saviynt Employee
Saviynt Employee
In response to Paul_Meyer

‎05/18/2023 08:37 AM

Can you share the complete JSON you are using if its still not working and also the job log if you can. Please update ConfigJSON param in the REST connection with value {"showLogs":true} before you run the job.


Regards,
Sahil
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to SB

‎05/18/2023 11:12 PM

@SB 

Configs attached.

 

Preview file
15 KB
Preview file
1 KB
Preview file
13 KB
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to Paul_Meyer

‎05/22/2023 12:37 AM

According to the log file, for each of the entitlements there is no status updates to be done, yet the access recon job end state is "Failed". If there is nothing to update, why would the job be in a failed status?

2023-05-18/14:59:07.084 [{}] [quartzScheduler_Worker-3] DEBUG services.ImportUtilityService - Start updateEntitlementStatus
2023-05-18/14:59:07.090 [{}] [quartzScheduler_Worker-3] DEBUG services.ImportUtilityService - entTypeThreshold for entType Duties: 10000000
2023-05-18/14:59:07.090 [{}] [quartzScheduler_Worker-3] DEBUG services.ImportUtilityService - Query to get Entitlements not Inserted/Updated in this job:
SELECT EV.ENTITLEMENT_VALUEKEY AS ENTITLEMENT_VALUEKEY FROM ENTITLEMENT_VALUES EV WHERE
EV.ENTITLEMENTTYPEKEY = 244 AND (EV.JOB_ID<>233948 OR EV.JOB_ID IS NULL)
AND EV.STATUS<>2

2023-05-18/14:59:07.106 [{}] [quartzScheduler_Worker-3] DEBUG services.ImportUtilityService - Entitlements to be inactivated: 0
2023-05-18/14:59:07.106 [{}] [quartzScheduler_Worker-3] DEBUG services.ImportUtilityService - Cannot inactivate Entitlements as the no of entitlements not in feed is either zero or exceed entTypeThreshold

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Paul_Meyer

‎05/22/2023 05:35 AM

How many ents in app ?


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎05/22/2023 05:50 AM

@rushikeshvartak 

  • 30 "Organizations"
  • 659 "Roles"
  • 17141 "Duties"
  • 203092 "Privileges"

 

0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to Paul_Meyer

‎05/24/2023 09:47 PM

@rushikeshvartak @SB 

Any recommendations or would you recommend a FD support request?

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Paul_Meyer

‎05/24/2023 09:51 PM

203000 try this limit


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎05/25/2023 11:09 PM

Same error, failed job:

image.png

0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎06/08/2023 08:51 AM

@Paul_Meyer Can you confirm if this is still an issue or was this resolved.


Regards,
Sahil
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to SB

‎06/08/2023 09:25 AM

@SB 

Still an open issue (FD #1632967). The issue is when you enable inactivateEntsNotInFeed. If there is nothing to do, ie no entitlements to inactivate, the jobs fails.

2023-06-02/16:16:31.565 [{}] [quartzScheduler_Worker-2] DEBUG services.ImportUtilityService - Entitlements to be inactivated: 0

2023-06-02/16:16:31.565 [{}] [quartzScheduler_Worker-2] DEBUG services.ImportUtilityService - Cannot inactivate Entitlements as the no of entitlements not in feed is either zero or exceed entTypeThreshold

My thoughts are that if there is nothing to inactivate, it is a valid use case. If there is nothing to inactivate, there is nothing to inactivate, the job should not fail. There is probably an if statement that needs adjusting...

0 Kudos

SB
Saviynt Employee
Saviynt Employee

‎06/08/2023 10:11 AM

It does seem that way. Looks like the support team is already working on it and should be able to help with a solution. Once you get a resolution it would be helpful if you could also update the same here so the others could also benefit from it.


Regards,
Sahil
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to SB

‎06/27/2023 10:33 PM

According to Support, it is fixed in v2021.0.4, as connector fix CONN-7863.

Only reference I can find to CONN-7863 is in the release notes of v2022.0.1 as:

CONN-7863 The CyberArk connector displays the correct status of the import job in the Job Control Panel when there are no entitlements to deactivate in EIC.

I can only assume that the fix has been applied to the base rest connector, as the CyberArk connector is a SCIM based rest connector.

Since v5.5SP5 seems to no longer be supported, a fix will not be provided. We'll have to continue waiting for a migration/upgrade. 1+ year and counting...

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Paul_Meyer

‎06/28/2023 04:22 AM

What if configuration removed


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Paul_Meyer
Regular Contributor
Regular Contributor
In response to rushikeshvartak

‎06/28/2023 07:43 AM

From test results, the access recon job does set the entitlement status (Inactive or "SUSPENDED FROM IMPORT SERVICE"), depending on true/false config of inactivateEntsNotInFeed. When set to true, and the job has no entitlements to be set to Inactive, the job completes but the job status is "Failed" with the warning as posted above.

 

0 Kudos
Copyright © 2024 Khoros, LLC