Click HERE to see how Saviynt Intelligence is transforming the industry. |
01/30/2024 10:49 PM
Hi
Is it possible to have multiple sources for user/identity data in Saviynt? What i mean is, if identity data is present in multiple sources then is it possible in Saviynt to union / aggregate those data sets from different sources and then import in Users table?
Or
is there any other way to achieve this task in Saviynt?
Regards
Gaurav
01/30/2024 10:55 PM
You can have data coming from different data source but username / unique attribute should be there.
For example :
01/30/2024 11:02 PM
Hi @rushikeshvartak Can you provide some more information or document links on how to achieve this in Saviynt?
For example, if we want to fetch users data from both LDAP and AD which have a common attribute like username or employee id or email, based on which the data should be aggregated and then inserted in Users table.
01/30/2024 11:04 PM
You can follow standard Connector documentation for same,
01/30/2024 11:20 PM
Hi @rushikeshvartak not sure if i get what you are saying. let me further clarify on your point
So for example, if i am using LDAP connector for importing users data (where username is unique). created a import job for this and uploaded data in Users table.
Now, i can have another connector like AD (again username is unique), created another import job for this. Execution of this job will overwrite user attributes fetched from AD if username matches with existing data in users table, correct?
secondly, if AD has more username's then LDAP then such data will be inserted in Users table , correct?
third, if LDAP has more username's then those wont be impacted, correct?
is my understanding correct? is there anything further it can do?
02/04/2024 10:05 PM
Hi @rushikeshvartak Can please share an update on this? or can you get any updates from Saviynt engineering team on this?
if anyone else have any idea, please share your experience on this requirement.
02/11/2024 11:16 PM
Hi All - can someone look into this issue and revert?
i have raised a support ticket as well to understand this but they are asking to post it again on forums and they will push forum team to respond back. its a deadlock situation.
02/12/2024 04:10 AM
Hi @GauravJain
Could you please provide detailed business use case to help us better understand the scenario better and answer your question correctly.
1. Do you want to use certain attributes from source1 (AD) and certain other attributes from source 2 (Example-LDAP)? Will there be some common attributes to be imported from 2 different sources?
2. What will be the unique field which you want to use as reconciliation field in both the sources ?
3. Does the same user exists in two different sources- example AD and LDAP and is there exists a unique field mapping the same user in two different sources ? Is there any estimate of number of users present in both the sources?
You can import data from multiple sources. Data will be mapped in the users table as per the mappings done in the connector configuration for the users matched in the reconciliation field. Both the sources should have common reconciliation ID attribute for each of the user. Otherwise, it may create duplicate users.
1. if I am using LDAP connector for importing users data (where username is unique). created a import job for this and uploaded data in Users table. Now, i can have another connector like AD (again username is unique), created another import job for this. Execution of this job will overwrite user attributes fetched from AD if username matches with existing data in users table, correct?
YES. The 2nd job run will overwrite the existing (common) fields updated by the 1st job if those fields are part of the 1st job import as well. This will create a loop of overwrites where the same attributes will get overwritten by every job in every import. This might create a problem where same field getting changed again and again (Audit issues/Inconsistent profile at different point of times). There may be other unwanted consequences where a task exist to update an attribute from job1 but the same attribute get updated by another job meanwhile resulting those previous tasks to fail.
To avoid such issues, there should be different set of attributes from different sources and common attribute should not be part of import from both the sources. An example of this will be all the attributes imported from AD but few different attributes imported from source2 where source2 will be used only for those particular attributes.
2. secondly, if AD has more username's then LDAP then such data will be inserted in Users table, correct?
YES
3. third, if LDAP has more username's then those wont be impacted, correct?
YES
is my understanding correct? is there anything further it can do? YES. However, all the dependencies need to be carefully taken care.
Regards,
Dhruv Sharma
02/13/2024 09:55 PM
Hi @Dhruv_S thank you so much for explaining things in detail. I will come back with our details requirements soon.
in the meantime, can you also clarify the role of username & RECONCILATION_FIELD. Saviynt says, username must be unique in both AD/LDAP connector documentation for user import. whats the significance of this?
Also, AD documentation says RECONCILATION_FIELD is always mapped to objectGUID for AD and may be entryUUID for LDAP.
So, are you saying that the value for objectGUID for a user record in AD must match the value of entryUUID in LDAP for the same user record, so that same record gets updated in Saviynts user table when both the jobs run after one another? but this seems to be impossible as the values generated for objectGUID /entryUUID in both the systems will be different. so in such case which attribute can be used to merge data coming from 2 different systems (AD & LDAP)? can we use any other common user attribute (like username or employeeid) from both AD/LDAP to map with RECONCILATION_FIELD?
Please ask for more information if my query is confusing.
02/13/2024 10:03 PM
in the meantime, can you also clarify the role of username & RECONCILATION_FIELD. Saviynt says, username must be unique in both AD/LDAP connector documentation for user import. whats the significance of this? User name is used for login purpose and it should be unique
Also, AD documentation says RECONCILATION_FIELD is always mapped to objectGUID for AD and may be entryUUID for LDAP. - It should be unique in target application
So, are you saying that the value for objectGUID for a user record in AD must match the value of entryUUID in LDAP for the same user record, so that same record gets updated in Saviynts user table when both the jobs run after one another? but this seems to be impossible as the values generated for objectGUID /entryUUID in both the systems will be different. so in such case which attribute can be used to merge data coming from 2 different systems (AD & LDAP)? can we use any other common user attribute (like username or employeeid) from both AD/LDAP to map with RECONCILATION_FIELD? - You can use common attribute stored in username column of saviynt as username/employeeid
02/13/2024 10:14 PM
Ok, so not necessary to always use objectGUID / entryUUID as RECONCILATION_FIELD mapping.
if i am dealing with multiple user sources then any common attribute from both the systems which has a unique value can also be used in RECONCILATION_FIELD mapping.
thanks for clarification and it was really a quick revert.
02/14/2024 05:28 PM
Hi @GauravJain
Yes. Common attribute which is unique should be used for both the systems such as employee id.
Regards,
Dhruv Sharma