Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Inactivate deleted Entitlements in Saviynt via REST connector

Go to solution
shibinvpkvr
Regular Contributor II
Regular Contributor II

‎03/22/2024 10:10 AM

We are using REST connector for account and access import. We noticed the deleted entitlements from target is still showing as Active in Saviynt. We have added "disableDeletedEntitlements": "true" but it did not help. We also tried to map a status and use statusConfig as well. That is also did not work. Can anyone help us if we are missing any other configs?

Please find the ImportAccountEntJSON 

{
"accountParams": {
"connection": "userAuth",
"processingType": "SequentialAndIterative",
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://******.dynamics.com/api/data/v9.2/systemusers",
"httpMethod": "GET",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/x-www-form-urlencoded"
},
"listField": "value",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "systemuserid~#~char",
"customproperty1": "title~#~char",
"customproperty2": "userpuid~#~char",
"customproperty3": "islicensed~#~char",
"customproperty4": "internalemailaddress~#~char",
"customproperty5": "ownerid~#~char",
"customproperty6": "isdisabled~#~char",
"customproperty7": "firstname~#~char",
"customproperty8": "lastname~#~char",
"customproperty9": "identityid~#~char",
"customproperty10": "modifiedon~#~char",
"customproperty11": "issyncwithdirectory~#~char",
"customproperty12": "userlicensetype~#~char",
"customproperty13": "_modifiedby_value~#~char",
"customproperty14": "isemailaddressapprovedbyo365admin~#~char",
"customproperty15": "address1_telephone1~#~char",
"customproperty16": "address1_city~#~char",
"customproperty17": "address1_composite~#~char",
"customproperty18": "address1_postalcode~#~char",
"customproperty19": "address1_country~#~char",
"customproperty20": "azureactivedirectoryobjectid~#~char",
"customproperty21": "address1_stateorprovince~#~char",
"displayName": "fullname~#~char",
"name": "domainname~#~char"
}
}
}
},
"entitlementParams": {
"connection": "userAuth",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"processingType": "SequentialAndIterative",
"entTypes": {
"Roles": {
"entTypeOrder": 1,
"call": {
"call2": {
"callOrder": 1,
"stageNumber": 2,
"showJobHistory": true,
"http": {
"url": "https://*******.dynamics.com/api/data/v9.2/roles",
"httpMethod": "GET",
"httpHeaders": {
"OData-MaxVersion": "4.0",
"OData-Version": "4.0",
"Authorization": "${access_token}"
},
"httpContentType": "application/x-www-form-urlencoded"
},
"listField": "value",
"keyField": "entitlementID",
"statusConfig": {
"active": "true"
},
"colsToPropsMap": {
"entitlementID": "roleid~#~char",
"entitlement_value": "name~#~char",
"customproperty1": "isinherited~#~char",
"customproperty2": "_parentroleid_value~#~char",
"customproperty3": "createdon~#~char",
"customproperty4": "_businessunitid_value~#~char",
"customproperty5": "_createdby_value~#~char",
"customproperty6": "modifiedon~#~char",
"customproperty7": "_modifiedby_valuevalue~#~char",
"status": "canbedeleted.Value~#~char"
},
"disableDeletedEntitlements": "true"
}
}
}
}
},
"acctEntParams": {
"connection": "userAuth",
"entTypes": {
"Roles": {
"call": {
"call1": {
"processingType": "http",
"callOrder": 0,
"stageNumber": 0,
"showJobHistory": true,
"http": {
"url": "https://*******.dynamics.com/api/data/v9.2/systemuserrolescollection",
"httpMethod": "GET",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
}
},
"listField": "value",
"entIdPath": "roleid",
"entKeyField": "entitlementID",
"acctIdPath": "systemuserid",
"acctKeyField": "accountID"
}
}
}
}
}
}

Labels:
0 Kudos
3 REPLIES 3

Go to solution
Falcon
Saviynt Employee
Saviynt Employee

‎03/22/2024 10:31 AM

Disclaimer - This is an AI generated response and feedback will be used to fine tune.

To address the issue of deleted entitlements still showing as Active in Saviynt despite setting "disableDeletedEntitlements": "true", it's important to ensure that the configuration accurately reflects the way your source system (in this case, presumably Dynamics 365) denotes deleted or inactive entitlements. From the configuration provided, it seems like "statusConfig": {"active": "true"} is intended to statically map all entitlements as active, which doesn't reflect the actual status of an entitlement. Furthermore, "canbedeleted.Value~#~char" as a status might not correctly represent whether an entitlement is active or deleted.

Given these points, the corrected approach involves properly configuring the statusConfig to dynamically reflect the actual status of entitlements based on data from the source system. If canbedeleted.Value does not accurately indicate an entitlement's deletion (instead indicating if it can be deleted), you need a different attribute from your Dynamics 365 response that directly indicates an entitlement's active or deleted status.

Correction:

  1. Identify the Correct Attribute: Determine the correct attribute from Dynamics 365 that indicates an entitlement's deletion status. For the sake of this correction, let's assume such an attribute is isDeleted (where true indicates the entitlement is deleted).

  2. Adjust the statusConfig and Remove "active": "true": Since static mapping as active is incorrect for deleted entitlements, adjust the statusConfig to use the correct attribute for dynamically mapping the status.

  3. Correct Configuration for entitlementParams:

 

"entitlementParams": {
  "connection": "userAuth",
  "dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
  "processingType": "SequentialAndIterative",
  "entTypes": {
    "Roles": {
      "entTypeOrder": 1,
      "call": {
        "call2": {
          "callOrder": 1,
          "stageNumber": 2,
          "showJobHistory": true,
          "http": {
            "url": "https://*******.dynamics.com/api/data/v9.2/roles",
            "httpMethod": "GET",
            "httpHeaders": {
              "OData-MaxVersion": "4.0",
              "OData-Version": "4.0",
              "Authorization": "${access_token}"
            },
            "httpContentType": "application/x-www-form-urlencoded"
          },
          "listField": "value",
          "keyField": "entitlementID",
          "colsToPropsMap": {
            "entitlementID": "roleid~#~char",
            "entitlement_value": "name~#~char",
            "customproperty1": "isinherited~#~char",
            "customproperty2": "_parentroleid_value~#~char",
            "customproperty3": "createdon~#~char",
            "customproperty4": "_businessunitid_value~#~char",
            "customproperty5": "_createdby_value~#~char",
            "customproperty6": "modifiedon~#~char",
            "customproperty7": "_modifiedby_value~#~char",
            "status": "isDeleted~#~char"  // Assuming 'isDeleted' indicates deletion status
          },
          "statusConfig": {
            "statusField": "isDeleted",  // Correct field that indicates deletion status
            "activeValues": ["false"],  // Assuming 'false' indicates active
            "inactiveValues": ["true"]  // Assuming 'true' indicates deleted
          },
          "disableDeletedEntitlements": "true"
        }
      }
    }
  }
}

 

Key Adjustments:

  • "status": "isDeleted~#~char": Use the correct field from the API that indicates whether an entitlement is deleted.
  • "statusConfig":
    • "statusField": "isDeleted": Points to the correct attribute indicating deletion status.
    • "activeValues": ["false"]: Assumes that false in isDeleted means the entitlement is active.
    • "inactiveValues": ["true"]: Assumes that true in isDeleted means the entitlement is deleted/inactive.

This corrected approach requires replacing the hypothetical isDeleted with the actual attribute used by your Dynamics 365 system to indicate an entitlement's deletion status. Ensure the mappings and values align with the actual data structure and values returned by your Dynamics 365 API responses.

 

0 Kudos

Go to solution
shibinvpkvr
Regular Contributor II
Regular Contributor II

‎03/22/2024 11:16 AM

There is no field available in the API response that indicates if the role is active or inactive. So anything that is retrieved from the API can be considered as active entitlement.  Only requirement here is to inactivate the entitlement in Saviynt when the role is deleted in Dynamics which makes that disappear from API response. Once the entitlement is removed from the API response, the expectation is that it should be marked as Inactive in Saviynt. 

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to shibinvpkvr

‎03/24/2024 07:36 PM

Refer https://forums.saviynt.com/t5/identity-governance/rest-connector-all-entitlements-inactivated-in-sav...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
Copyright © 2024 Khoros, LLC