Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

How GCP Import and provisioning works

rajesh005
New Contributor
New Contributor

I would like to know how GCP connector works. I reference GCP connector guide but unable to get my below questions answered.

 

1. How GCP connector is importing GCP accounts and entitlements? and how to get extra metadata information for accounts . In REST connector we do have importaccountentjson where we define columns mapping and get the required metadata. but in GCP I do not see such option on connector level. Is there any backend code that is doing that mapping, which we cannot see from UI.

2. I do not see any jsons parameters like add access, remove account, remove access json parameters in GCP connector. How are those provisioning operations are happening. 

6 REPLIES 6

rushikeshvartak
All-Star
All-Star

Are you using template For GCP Connection. Screenshot Please


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

rajesh005
New Contributor
New Contributor

Not sure what you mean by template, we are using connector of GCP connector type and here are the screenshots

rajesh005_0-1673272880942.pngrajesh005_1-1673273032213.png

[This post has been edited by a Moderator to remove sensitive information.]

For GCP Connector, Some of the Logic is handled backend 

1. How GCP connector is importing GCP accounts and entitlements? and how to get extra metadata information for accounts . In REST connector we do have importaccountentjson where we define columns mapping and get the required metadata. but in GCP I do not see such option on connector level. Is there any backend code that is doing that mapping, which we cannot see from UI.

Accounts and Entitlements import logic is handled in backed code of this connector. You don't specify much in connection level. Instead while you configure imports you will define what type of data you want to import like account or access. If you want to import specific type of entitlements then you will  use CUSTOM Access then you will filter what type of entitlements you want to pull using Include importEntTypes and excludeEntTypes

Sample JSON: {"importEntTypes":{"SQLDatabaseInstance":{}},"excludeEntTypes":{"Groups":{},"Group_Permissions":{},"Projects":{},"Organizations":{},"Org_Roles":{},"Roles":{},"Project_Roles":{},"Project_IAMPolicies":{},"Folders":{},"Disks":{},"ServiceAccountKeys":{},"KubernetesEngine":{},"Instances":{},"RolePermissions":{},"Org_IAMPolicies":{},"Folder_Roles":{},"Folder_IAMPolicies":{},"Zones":{},"Regions":{},"AlertPolicies":{},"SubNetworks":{},"VPCNetworks":{},"DNSZone":{},"Firewall":{},"BucketsList":{},"BucketIAMPolicy":{},"Sinks":{},"LogBasedMetrics":{},"DiskSnapshots":{},"Instances_IAMPolicies":{},"Disks_IAMPolicies":{},"ServiceAccount_Roles":{},"ServiceAccount_IAMPolicies":{}}}} - This will pull only SQL instances of GCP

Similarly for Account attribute mapping this is also handled internally and below are some of the fields that are being pulled by GCP connector and their mapping with accounts table

 

Accounts Table ColumnGCP Attributes
accountIDid
nameprimaryEmail
displayNamename.fullName
customproperty1emails
customproperty2nonEditableAliases
customproperty4kind
customproperty5etag
customproperty6isAdmin
customproperty7isDelegatedAdmin
customproperty8customerId
customproperty9orgUnitPath
customproperty10isMailboxSetup
customproperty11isEnrolledIn2Sv
customproperty12isEnforcedIn2Sv
customproperty13includeInGlobalAddressList
customproperty14ipWhitelisted
customproperty15changePasswordAtNextLogin
customproperty16agreedToTerms
customproperty18suspensionReason
lastlogondatelastLoginTime
CREATED_ONcreationTime

If you need any additional columns to be mapping then you can use ACCOUNT_ATTRIBUTE_MAPPING

Sample JSON:

{"customproperty31": "emails~#~json"}

2. I do not see any jsons parameters like add access, remove account, remove access json parameters in GCP connector. How are those provisioning operations are happening. -- For Provisioning you may still need to populate these JSONs CreateAccountJSON, UpdateAccountJSON & CREATESERVICEACCOUNTJSON. Rest all like ADD/ Remove Access & Delete are handled by backend logic of the connector.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

rajesh005
New Contributor
New Contributor

Can you let me know the folder structure on the backend where I can see that mapping info for account reconciliation. I do have visibility to check jar files and folder on servers end but not sure where to check.

Reason I was asking as you see in below screenshot I am getting below attributes populated in one of GCP account (i blanked out some values for security reasons). At present I do not have ACCOUNT_ATTRIBUTE_MAPPING. I want to understand how this Saviynt attributes are mapped to which GCP attributes. 

rajesh005_0-1673366443880.png

 

 

 

 

I m not sure where you can find that mapping information from jar. Above mapping table information we received from support team on asking about mapping details which may or may not covering whole mapping details that GCP connector is doing by default.

Also as per my understanding ACCOUNT_ATTRIBUTE_MAPPING is only to map additional attributes other than what by default it is doing. Even if you don't have that value set it still does the default mapping as per connector logic.

if you need exact mapping details or where you can find the those mapping details you may need to check with Saviynt support


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

ps
Saviynt Employee
Saviynt Employee

So GCP has default mapping baked in connector as mentioned in above screenshot by SK.

ACCOUNT_ATTRIBUTE_MAPPING: you can use it to change default mapping as sometimes default mapping fails due to data size issue.

example: 

{
"customproperty1":"customerid~#~char",
"customproperty31": "emails~#~json"

}