and more in a single search tool across platforms. Read the announcement here. |
12/16/2022 03:54 PM
Saviynt was importing accounts and groups from the root of an OU. A recent configuration was made to the AD connection to import it from 3 specific OUs. This configuration was made in the Advanced_Filter_JSON of the AD connection. The expectation was that the accounts that exists within saviynt DB that were imported from the other OUs would be marked as SFIS. However, the account status is retained as it was before the import. Is this a product defect or is there any other configuration additionally required to be done which is not documented in the AD connector guide.
12/17/2022 07:56 AM
12/18/2022 06:28 AM
Status threshold is configured as follows:
{
"statusAndThresholdConfig":
{
"statusColumn":"customproperty30",
"activeStatus":["512","544","66048","262656","590336","328192","16843264","1114624"],
"deleteLinks": true,
"accountThresholdValue" : 100000,
"correlateInactiveAccounts":true,
"inactivateAccountsNotInFile": false
}
}
There are only about 30K accounts on the target.
One thing that I noticed is that when I create another connection, security system and endpoint to the same target and configured below OUs in Advance_Filter_JSON as follows:
{
"AdvanceFilter": {
"OU=gmsaaccounts,OU=Accounts,OU=accessmgmnt,DC=etf,DC=xxx,DC=com": ["(&(sAMAccountName=*)(objectclass=top)(objectCategory=person)(objectclass=user))"
],
"OU=privuseraccounts,OU=Accounts,OU=accessmgmnt,DC=etf,DC=xxx,DC=com": ["(&(sAMAccountName=*)(objectclass=top)(objectCategory=person)(objectclass=user))"
]
}
}
Saviynt imported only the accounts from these 2 OUs onto the new endpoint. Then when I removed the privuseraccounts OU config from the Advance_FilteR_JSON it suspended all the accounts that were in Saviynt from that OU (as expected). But when the same configuration changes are done on the original connection that manages AD, the existing accounts within Saviynt (imported previously from root) in the OUs excluded are not getting suspended.
12/18/2022 07:16 AM
There must be accounts with blank status
check below from data analyzer
select distinct status from accounts where endpointkey=0
12/19/2022 10:04 AM
Do you have group import configured for original connection, If so what is the configuration for group import?
12/19/2022 06:04 AM
The only statuses in the accounts table for endpointkey=61 are 1, 2, Manually Provisioned and SFIS (SIFS accounts are from an incorrect import that caused Saviynt to think that the import feed was empty).
12/19/2022 06:19 AM
If any status is blank/null then it will be issue
12/19/2022 01:03 PM
I did not understand your response. Like I mentioned before, there are no null / blank statuses for the accounts in Saviynt.
12/19/2022 01:06 PM
suspend all existing and reimport data
12/20/2022 01:17 PM
How do I suspend all existing accounts on the endpoint within Saviynt?
12/20/2022 01:25 PM
update accounts set status='SUSPENDED FROM IMPORT SERVICE' where endpointkey=61 limit 1000;
12/20/2022 01:54 PM
Instead of running a DB update, I figured out a way to simulate an empty import and got all the accounts set to SFIS via accounts import job.
After this when I configure the Advance_Filter_JSON to just bring accounts from OU=Accounts,OU=accessmgmnt,DC=etf,DC=XXX,DC=com, Saviynt is importing accounts from the sub-OUs within this OU. Examples are accounts from OU=privuseraccounts,OU=Accounts,OU=accessmgmnt,DC=etf,DC=equifax,DC=com.
The AD connector guide mentions that the Advance_Filter_JSON is to import accounts from specific OUs and does not mention about importing accounts from the OUs under the ones configured.
Is this the expected behaviour of this configuration?
12/20/2022 08:49 PM
it will bring all data from ou specified sub ou also