Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Imported AD group members are not showing as accounts on child AD Endpoints

glegault
New Contributor II
New Contributor II

‎03/26/2024 07:37 AM

We notice that Saviynt users can Modify Access on an AD Endpoint and see the current group membership (entitlements) while other users that are also part of the same AD groups do not see their current group membership when using the Modify Access option.

Unless I misunderstand something, I think this is cause by the fact that we can see Accounts on the AD child Endpoint Entitlements when accesses are granted from Saviynt ARS while accesses that were granted outside Saviynt (directly in AD from before that applications were integrated) and imported  are not showing on the AD child Endpoint Entitlement but only on the parent AD endpoint.

Is there a way to import accounts and/or accesses or something else that can be done to “sync” the parent AD Entitlements accounts with the child ones that get associated to AD Endpoints from the filters on the connection?

Example:

glegault_0-1711463537420.png

glegault_1-1711463560508.png

Thank you for the help.

0 Kudos
2 REPLIES 2

rushikeshvartak
All-Star
All-Star

‎03/26/2024 08:38 PM

Currently its not supported 

Refer https://ideas.saviynt.com/ideas/EIC-I-3938


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

glegault
New Contributor II
New Contributor II
In response to rushikeshvartak

‎03/27/2024 12:27 PM - edited ‎03/27/2024 12:29 PM

Hi Rushikesh,

Thank you for the reply. We found out that the performGroupAccountLinking can be configured to TRUE on the groupimportmapping section of the AD connector to achieve what we were trying to do.

Configuring the Integration for Importing Accounts and Access (saviyntcloud.com)

This is what we were looking for. After enabling this option and running import jobs again the child endpoind entitlements were updated as expected. 

We ran into the Data inconsistency error described here and worked to the suggested solution to get back into business but the end results is looking good as far as I can see for now.

It would be nice to be able to change a setting like this on the AD connection without breaking all AD Endpoints, even temporarily...

Access request form is not loading with "Data inco... - Saviynt Forums - 55885

Regards,

0 Kudos
Copyright © 2024 Khoros, LLC