Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Importing accounts from specific OU not marking existing accounts imported from root as SFIS

krecpond
New Contributor III
New Contributor III

‎12/16/2022 03:54 PM

Saviynt was importing accounts and groups from the root of an OU. A recent configuration was made to the AD connection to import it from 3 specific OUs. This configuration was made in the Advanced_Filter_JSON of the AD connection. The expectation was that the accounts that exists within saviynt DB that were imported from the other OUs would be marked as SFIS. However, the account status is retained as it was before the import. Is this a product defect or is there any other configuration additionally required to be done which is not documented in the AD connector guide.

Labels:
0 Kudos
12 REPLIES 12

rushikeshvartak
All-Star
All-Star

‎12/17/2022 07:56 AM

  • You need to increase threshold count .
  • Is there any error in logs
  • how many active accounts are expected for suspension 
  • share status threshold config json

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

krecpond
New Contributor III
New Contributor III

‎12/18/2022 06:28 AM

Status threshold is configured as follows:

{
"statusAndThresholdConfig":
{
"statusColumn":"customproperty30",
"activeStatus":["512","544","66048","262656","590336","328192","16843264","1114624"],
"deleteLinks": true,
"accountThresholdValue" : 100000,
"correlateInactiveAccounts":true,
"inactivateAccountsNotInFile": false
}
}

There are only about 30K accounts on the target.

One thing that I noticed is that when I create another connection, security system and endpoint to the same target and configured below OUs in Advance_Filter_JSON as follows:

{
"AdvanceFilter": {

"OU=gmsaaccounts,OU=Accounts,OU=accessmgmnt,DC=etf,DC=xxx,DC=com": ["(&(sAMAccountName=*)(objectclass=top)(objectCategory=person)(objectclass=user))"
],

"OU=privuseraccounts,OU=Accounts,OU=accessmgmnt,DC=etf,DC=xxx,DC=com": ["(&(sAMAccountName=*)(objectclass=top)(objectCategory=person)(objectclass=user))"
]
}
}

Saviynt imported only the accounts from these 2 OUs onto the new endpoint. Then when I removed the privuseraccounts OU config from the Advance_FilteR_JSON it suspended all the accounts that were in Saviynt from that OU (as expected). But when the same configuration changes are done on the original connection that manages AD, the existing accounts within Saviynt (imported previously from root) in the OUs excluded are not getting suspended.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to krecpond

‎12/18/2022 07:16 AM

There must be accounts with blank status

check below from data analyzer

select distinct status from accounts where endpointkey=0


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

sk
All-Star
All-Star
In response to krecpond

‎12/19/2022 10:04 AM

Do you have group import configured for original connection, If so what is the configuration for group import?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
0 Kudos

krecpond
New Contributor III
New Contributor III

‎12/19/2022 06:04 AM

The only statuses in the accounts table for endpointkey=61 are 1, 2, Manually Provisioned and SFIS (SIFS accounts are from an incorrect import that caused Saviynt to think that the import feed was empty).

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to krecpond

‎12/19/2022 06:19 AM

If any status is blank/null then it will be issue


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

krecpond
New Contributor III
New Contributor III
In response to rushikeshvartak

‎12/19/2022 01:03 PM

I did not understand your response. Like I mentioned before, there are no null / blank statuses for the accounts in Saviynt.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to krecpond

‎12/19/2022 01:06 PM

suspend all existing and reimport data


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

krecpond
New Contributor III
New Contributor III

‎12/20/2022 01:17 PM

How do I suspend all existing accounts on the endpoint within Saviynt?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to krecpond

‎12/20/2022 01:25 PM

update accounts set status='SUSPENDED FROM IMPORT SERVICE' where endpointkey=61 limit 1000;


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

krecpond
New Contributor III
New Contributor III

‎12/20/2022 01:54 PM

Instead of running a DB update, I figured out a way to simulate an empty import and got all the accounts set to SFIS via accounts import job.

After this when I configure the Advance_Filter_JSON to just bring accounts from OU=Accounts,OU=accessmgmnt,DC=etf,DC=XXX,DC=com, Saviynt is importing accounts from the sub-OUs within this OU. Examples are accounts from OU=privuseraccounts,OU=Accounts,OU=accessmgmnt,DC=etf,DC=equifax,DC=com.

The AD connector guide mentions that the Advance_Filter_JSON is to import accounts from specific OUs and does not mention about importing accounts from the OUs under the ones configured.

Is this the expected behaviour of this configuration?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to krecpond

‎12/20/2022 08:49 PM

it will bring all data from ou specified sub ou also


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC