We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Filtering Entitlements when importing Accesses and Accounts

Avdupa1070
New Contributor
New Contributor
Greatings,
While trying to filter the entitlements importation when importing both accesses and accounts using the same AD connector, we came across one problem.
By using the groupObjectClass field with the following "groupObjectClass":"(&(objectclass=group)(groupType:1.2.840.113556.1.4.803:=2147483648)(!(cn=DL_*)))", we were able to apply the restrictions necessary to us, meaning that we could filter the entitlement’s importation to all security groups whose name didn’t start with DL_. Nevertheless, this only worked while importing the accesses since the groupImportMapping field, as mentioned in Saviynt’s documentation, is only applicable to accesses. After this, we proceeded to the importation of the accounts and this is where the issue showed up. Posteriorly to the importation of the accounts we validated that all entitlements to which the accounts were member of (as selected in the field entitlement_attribute) were imported including the ones we didn´t want to since the only condition present on the objectfilter field was (objectCategory=person). Is it possible to apply both the (objectCategory=person) and the (&(objectclass=group)(groupType:1.2.840.113556.1.4.803:=2147483648)(!(cn=DL_*))) restriction using the objectfilter field so that when importing the accounts only the desired groups are imported and mapped? If so what would the right terminology? If not is there any other way to make these filters apply to both accesses and accounts?
 
Best regards
16 REPLIES 16

rushikeshvartak
All-Star
All-Star

Are you using endpoint filter option


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

I am not since as far as i understood that only applies for setting up connections with other applications that use Active Directory in this specific case and my goal here is just importing the entitlements (with the filters mentioned) from Active Directory itself.

Please share connection screenshot 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

You can find below what i believe should be all the important information in the connection for this topic.

object_filter.PNG

Avdupa1070_0-1665582348544.png

 

entitlement.PNG

group.PNG

  

You can try memberOf Filter 

https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html 

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=CaptainPlanet,ou=users,dc=company,dc=com))

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Unfortunately that wouldn't solve my problem. That filter is for persons and my problem is regarding the groups. The filter i currently have for persons is needed when importing accounts, the problem is filtering the groups imported. Our situation is that we want to import accounts and the groups to which those accounts are part of, except some groups that should be filtered according to the restrictions mentioned.

 

You can use Endpoint FIlter to achieve your use case


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Avdupa1070
New Contributor
New Contributor

Can you please clarify how? I am not understading how can the endpoint filter field help with the entitlement importation?

Can you refer documentation for same : https://saviynt.freshdesk.com/support/solutions/articles/43000615764-active-directory-ad-connector-g... 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

As referenced in the documentation the endpoints_filter parameter "creates endpoints based on the list of groups specified in the JSON and associates all accounts having access to these groups to the created endpoint." I do not wish to import the groups as endpoints but rather filter the groups that are imported as entitlements when the Import Accounts job is performed with the Entitlement Attribute as memberOf.

Please confirm if below understanding is correct for your use case

  • user1 having group1 to 10
  • you want user1 should have only group 1 to group 5 in saviynt 

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Exactly, so after importing both the account and the access only groups 1 to 5 should be on saviynt

You can use endpoint filter and create application/endpoint for filtering groups


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thanks, i have made some progress. There is still one thing i cant quite resolve. Lets say i want to import all groups except the ones starting with the following,

{"memberOf":["CN=DL_%,..."]}

Is there any way to put that expression in the negative so i don't have to list all of the other groups?

No You need to write all possible combination. You can't mention not in endpoints filter


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

vivekmohanty_pm
Saviynt Employee
Saviynt Employee

@Avdupa1070 I understand the problem statement, and currently, it is not supported in our connector.
The entitlements imported as part of account import only have their entitlement_value populated and not the meta-data. We import those groups via account import as they are present in the memberOf attributes in the AD user objects.