Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is it possible to have multiple sources for user/identity data?

GauravJain
Regular Contributor III
Regular Contributor III

‎01/30/2024 10:49 PM

Hi

Is it possible to have multiple sources for user/identity data in Saviynt? What i mean is, if identity data is present in multiple sources then is it possible in Saviynt to union / aggregate those data sets from  different sources and then import in Users table?

Or 

is there any other way to achieve this task in Saviynt?

Regards

Gaurav

 

Labels:
0 Kudos
11 REPLIES 11

rushikeshvartak
All-Star
All-Star

‎01/30/2024 10:55 PM

You can have data coming from different data source but username / unique attribute should be there.

For example :

  • Users coming from workday
  • Email is getting updated from Azure

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

GauravJain
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎01/30/2024 11:02 PM

Hi @rushikeshvartak Can you provide some more information or document links on how to achieve this in Saviynt?

For example, if we want to fetch users data from both LDAP and AD which have a common attribute like username or employee id or email, based on which the data should be aggregated and then inserted in Users  table.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to GauravJain

‎01/30/2024 11:04 PM

You can follow standard Connector documentation for same,


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

GauravJain
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎01/30/2024 11:20 PM

Hi @rushikeshvartak not sure if i get what you are saying. let me further clarify on your point

So for example, if i am using LDAP connector for importing users data (where username is unique). created a import job for this and uploaded data in Users table.

Now, i can have another connector like AD (again username is unique), created another import job for this. Execution of this job will overwrite user attributes fetched from AD if username matches with existing data in users table, correct?

secondly, if AD has more username's then LDAP then such data will be inserted in Users table , correct?

third, if LDAP has more username's then those wont be impacted, correct?

is my understanding correct? is there anything further it can do?

0 Kudos

GauravJain
Regular Contributor III
Regular Contributor III

‎02/04/2024 10:05 PM

Hi @rushikeshvartak Can please share an update on this? or can you get any updates from Saviynt engineering team on this? 

if anyone else have any idea, please share your experience on this requirement.

0 Kudos

GauravJain
Regular Contributor III
Regular Contributor III

‎02/11/2024 11:16 PM

Hi All - can someone look into this issue and revert?

i have raised a support ticket as well to understand this but they are asking to post it again on forums and they will push forum team to respond back. its a deadlock situation.

0 Kudos

Dhruv_S
Saviynt Employee
Saviynt Employee
In response to GauravJain

‎02/12/2024 04:10 AM

Hi @GauravJain  

Could you please provide detailed business use case to help us better understand the scenario better and answer your question correctly.

1. Do you want to use certain attributes from source1 (AD) and certain other attributes from source 2 (Example-LDAP)? Will there be some common attributes to be imported from 2 different sources?
2. What will be the unique field which you want to use as reconciliation field in both the sources ?
3. Does the same user exists in two different sources- example AD and LDAP and is there exists a unique field mapping the same user in two different sources ? Is there any estimate of number of users present in both the sources?

You can import data from multiple sources. Data will be mapped in the users table as per the mappings done in the connector configuration for the users matched in the reconciliation field. Both the sources should have common reconciliation ID attribute for each of the user. Otherwise, it may create duplicate users.

 1. if I am using LDAP connector for importing users data (where username is unique). created a import job for this and uploaded data in Users table. Now, i can have another connector like AD (again username is unique), created another import job for this. Execution of this job will overwrite user attributes fetched from AD if username matches with existing data in users table, correct?

YES. The 2nd job run will overwrite the existing (common) fields updated by the 1st job if those fields are part of the 1st job import as well. This will create a loop of overwrites where the same attributes will get overwritten by every job in every import. This might create a problem where same field getting changed again and again (Audit issues/Inconsistent profile at different point of times). There may be other unwanted consequences where a task exist to update an attribute from job1 but the same attribute get updated by another job meanwhile resulting those previous tasks to fail.

To avoid such issues, there should be different set of attributes from different sources and common attribute should not be part of import from both the sources. An example of this will be all the attributes imported from AD but few different attributes imported from source2 where source2 will be used only for those particular attributes.

2. secondly, if AD has more username's then LDAP then such data will be inserted in Users table, correct?
YES

3. third, if LDAP has more username's then those wont be impacted, correct?
YES

is my understanding correct? is there anything further it can do? YES. However, all the dependencies need to be carefully taken care.


Regards,

Dhruv Sharma

GauravJain
Regular Contributor III
Regular Contributor III
In response to Dhruv_S

‎02/13/2024 09:55 PM

Hi @Dhruv_S thank you so much for explaining things in detail. I will come back with our details requirements soon.

in the meantime, can you also clarify the role of username & RECONCILATION_FIELD. Saviynt says, username must be unique in both AD/LDAP connector documentation for user import. whats the significance of this? 

Also, AD documentation says RECONCILATION_FIELD is always mapped to objectGUID for AD and may be entryUUID for LDAP.

So, are you saying that the value for objectGUID for a user record in AD must match the value of entryUUID in LDAP for the same user record, so that same record gets updated in Saviynts user table when both the jobs run after one another? but this seems to be impossible as the values generated for objectGUID /entryUUID in both the systems will be different. so in such case which attribute can be used to merge data coming from 2 different systems (AD & LDAP)? can we use any other common user attribute (like username or employeeid) from both AD/LDAP to map with RECONCILATION_FIELD?

Please ask for more information if my query is confusing.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to GauravJain

‎02/13/2024 10:03 PM

in the meantime, can you also clarify the role of username & RECONCILATION_FIELD. Saviynt says, username must be unique in both AD/LDAP connector documentation for user import. whats the significance of this?  User name is used for login purpose and it should be unique

Also, AD documentation says RECONCILATION_FIELD is always mapped to objectGUID for AD and may be entryUUID for LDAP. - It should be unique in target application

 

So, are you saying that the value for objectGUID for a user record in AD must match the value of entryUUID in LDAP for the same user record, so that same record gets updated in Saviynts user table when both the jobs run after one another? but this seems to be impossible as the values generated for objectGUID /entryUUID in both the systems will be different. so in such case which attribute can be used to merge data coming from 2 different systems (AD & LDAP)? can we use any other common user attribute (like username or employeeid) from both AD/LDAP to map with RECONCILATION_FIELD? - You can use common attribute stored in username column of saviynt as username/employeeid


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

GauravJain
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎02/13/2024 10:14 PM

Ok, so not necessary to always use objectGUID / entryUUID as RECONCILATION_FIELD mapping.

if i am dealing with multiple user sources then any common attribute from both the systems which has a unique value can also be used in RECONCILATION_FIELD mapping. 

thanks for clarification and it was really a quick revert.

0 Kudos

Dhruv_S
Saviynt Employee
Saviynt Employee
In response to GauravJain

‎02/14/2024 05:28 PM

Hi @GauravJain 

Yes. Common attribute which is unique should be used for both the systems such as employee id.

Regards,

Dhruv Sharma 

Copyright © 2024 Khoros, LLC