We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Is it possible to have multiple sources for user/identity data?

GauravJain
Regular Contributor
Regular Contributor

Hi

Is it possible to have multiple sources for user/identity data in Saviynt? What i mean is, if identity data is present in multiple sources then is it possible in Saviynt to union / aggregate those data sets from  different sources and then import in Users table?

Or 

is there any other way to achieve this task in Saviynt?

Regards

Gaurav

 

11 REPLIES 11

rushikeshvartak
All-Star
All-Star

You can have data coming from different data source but username / unique attribute should be there.

For example :

  • Users coming from workday
  • Email is getting updated from Azure

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak Can you provide some more information or document links on how to achieve this in Saviynt?

For example, if we want to fetch users data from both LDAP and AD which have a common attribute like username or employee id or email, based on which the data should be aggregated and then inserted in Users  table.

You can follow standard Connector documentation for same,


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak not sure if i get what you are saying. let me further clarify on your point

So for example, if i am using LDAP connector for importing users data (where username is unique). created a import job for this and uploaded data in Users table.

Now, i can have another connector like AD (again username is unique), created another import job for this. Execution of this job will overwrite user attributes fetched from AD if username matches with existing data in users table, correct?

secondly, if AD has more username's then LDAP then such data will be inserted in Users table , correct?

third, if LDAP has more username's then those wont be impacted, correct?

is my understanding correct? is there anything further it can do?

GauravJain
Regular Contributor
Regular Contributor

Hi @rushikeshvartak Can please share an update on this? or can you get any updates from Saviynt engineering team on this? 

if anyone else have any idea, please share your experience on this requirement.

GauravJain
Regular Contributor
Regular Contributor

Hi All - can someone look into this issue and revert?

i have raised a support ticket as well to understand this but they are asking to post it again on forums and they will push forum team to respond back. its a deadlock situation.

Hi @GauravJain  

Could you please provide detailed business use case to help us better understand the scenario better and answer your question correctly.

1. Do you want to use certain attributes from source1 (AD) and certain other attributes from source 2 (Example-LDAP)? Will there be some common attributes to be imported from 2 different sources?
2. What will be the unique field which you want to use as reconciliation field in both the sources ?
3. Does the same user exists in two different sources- example AD and LDAP and is there exists a unique field mapping the same user in two different sources ? Is there any estimate of number of users present in both the sources?

You can import data from multiple sources. Data will be mapped in the users table as per the mappings done in the connector configuration for the users matched in the reconciliation field. Both the sources should have common reconciliation ID attribute for each of the user. Otherwise, it may create duplicate users.

 1. if I am using LDAP connector for importing users data (where username is unique). created a import job for this and uploaded data in Users table. Now, i can have another connector like AD (again username is unique), created another import job for this. Execution of this job will overwrite user attributes fetched from AD if username matches with existing data in users table, correct?

YES. The 2nd job run will overwrite the existing (common) fields updated by the 1st job if those fields are part of the 1st job import as well. This will create a loop of overwrites where the same attributes will get overwritten by every job in every import. This might create a problem where same field getting changed again and again (Audit issues/Inconsistent profile at different point of times). There may be other unwanted consequences where a task exist to update an attribute from job1 but the same attribute get updated by another job meanwhile resulting those previous tasks to fail.

To avoid such issues, there should be different set of attributes from different sources and common attribute should not be part of import from both the sources. An example of this will be all the attributes imported from AD but few different attributes imported from source2 where source2 will be used only for those particular attributes.

2. secondly, if AD has more username's then LDAP then such data will be inserted in Users table, correct?
YES

3. third, if LDAP has more username's then those wont be impacted, correct?
YES

is my understanding correct? is there anything further it can do? YES. However, all the dependencies need to be carefully taken care.


Regards,

Dhruv Sharma

Hi @Dhruv_Sharma thank you so much for explaining things in detail. I will come back with our details requirements soon.

in the meantime, can you also clarify the role of username & RECONCILATION_FIELD. Saviynt says, username must be unique in both AD/LDAP connector documentation for user import. whats the significance of this? 

Also, AD documentation says RECONCILATION_FIELD is always mapped to objectGUID for AD and may be entryUUID for LDAP.

So, are you saying that the value for objectGUID for a user record in AD must match the value of entryUUID in LDAP for the same user record, so that same record gets updated in Saviynts user table when both the jobs run after one another? but this seems to be impossible as the values generated for objectGUID /entryUUID in both the systems will be different. so in such case which attribute can be used to merge data coming from 2 different systems (AD & LDAP)? can we use any other common user attribute (like username or employeeid) from both AD/LDAP to map with RECONCILATION_FIELD?

Please ask for more information if my query is confusing.

in the meantime, can you also clarify the role of username & RECONCILATION_FIELD. Saviynt says, username must be unique in both AD/LDAP connector documentation for user import. whats the significance of this?  User name is used for login purpose and it should be unique

Also, AD documentation says RECONCILATION_FIELD is always mapped to objectGUID for AD and may be entryUUID for LDAP. - It should be unique in target application

 

So, are you saying that the value for objectGUID for a user record in AD must match the value of entryUUID in LDAP for the same user record, so that same record gets updated in Saviynts user table when both the jobs run after one another? but this seems to be impossible as the values generated for objectGUID /entryUUID in both the systems will be different. so in such case which attribute can be used to merge data coming from 2 different systems (AD & LDAP)? can we use any other common user attribute (like username or employeeid) from both AD/LDAP to map with RECONCILATION_FIELD? - You can use common attribute stored in username column of saviynt as username/employeeid


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Ok, so not necessary to always use objectGUID / entryUUID as RECONCILATION_FIELD mapping.

if i am dealing with multiple user sources then any common attribute from both the systems which has a unique value can also be used in RECONCILATION_FIELD mapping. 

thanks for clarification and it was really a quick revert.

Hi @GauravJain 

Yes. Common attribute which is unique should be used for both the systems such as employee id.

Regards,

Dhruv Sharma