Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue in Remove Account Json

Go to solution
saimeghana
Regular Contributor II
Regular Contributor II

‎08/20/2023 11:55 PM

Hi Team,

We are facing an issue in Remove account json for ADSI connector.

We are trying to pass the "UserAccountControl": 514 in Remove account json but the updates are not pushed into accounts.

Sample Json:

{
"objects": [
{
"distinguishedName": "${account.accountID}",
"removeAction": "DELETE",
"deleteChildObjects": false
}
],
"attributes": {
"userAccountControl": 514
}
}

Thanks,

Sai Meghana

Labels:
0 Kudos
15 REPLIES 15

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎08/21/2023 12:27 AM

Hello @saimeghana,

Can you please ensure that Password Policy is specified in Admin > Identity Repository >Security System > Policy Rule.


Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
saimeghana
Regular Contributor II
Regular Contributor II
In response to sudeshjaiswal

‎08/21/2023 01:16 AM

Hi @sudeshjaiswal,

Yes, we have a Policy rule.

Thanks,

Sai Meghana

0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎08/21/2023 01:29 AM

Hello @saimeghana,

Can you try with this,
{
"objects":[
{
"objectClasses":[
"user"
],
"distinguishedName":"${account.accountID?.replace('\\', '\\\\')?.replace('/', '\\/')}",
"password":"${password}",
"deleteAllGroups":false,
"attributes":{
"userAccountControl":514
}
}
]
}
Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
saimeghana
Regular Contributor II
Regular Contributor II
In response to sudeshjaiswal

‎08/21/2023 10:03 AM

Hi @sudeshjaiswal,

Tried with above json it is passing the 514 to the accounts, but the status of the account should change to "suspended from import" after the recon but it is changing to inactive.

Thanks,

Sai Meghana

0 Kudos

Go to solution
dgandhi
All-Star
All-Star
In response to saimeghana

‎08/21/2023 11:07 AM

Pass below in the config:

inactivateAccountsNotInFile

https://docs.saviyntcloud.com/bundle/REST-v23x/page/Content/Configuring-the-Integration-for-Importin...

 

Defining Status and Threshold Configuration

Specify the account attribute mapped with the account status along with the values to be considered for imported accounts in the STATUS_THRESHOLD_CONFIG parameter. You can also specify the threshold limit enforced in full account import to prevent bulk update of missing accounts due to API errors, processing errors, or misconfiguration of import parameters such as status or account filters. The status of missing accounts are updated as inactive or deleted (SUSPENDED FROM IMPORT SERVICE) if the count is within the threshold limit.

 

Note

This parameter takes precedence over the value in the statusAndThresholdConfig variable specified in the ImportAccountEntJSON parameters.

To specify status and threshold configurations for REST, use the following example:

JSON
{
                "statusAndThresholdConfig": {
                "accountThresholdValue": 100,
                "inactivateAccountsNotInFile": true,
                "statusColumn": "customproperty30",
                "activeStatus": [
                "ENABLE",
                "PROVISIONED"
                ],
                "inactivateEntsNotInFeed": true,
                "entThresholdValue": {
                "entType": {
                "Group": {
                "ent": 100
                },
                "Role": {
                "ent": 100
                }
                }
                }
                }
        }
 

The attributes supported in STATUS_THRESHOLD_CONFIG are described below:

  • statusColumn: Specify the account attribute mapped with the status of the account.

  • activeStatus: Specify all possible values that indicate the active status of the accounts in the target application. All accounts that do not have these status values are marked as inactive.

    Note

    From Release v23.2, if you do not specify status values in activeStatus configurations, all accounts that were imported are marked as active.

  • accountThresholdValue: Specify the threshold value that you want the connector to use for inactivating or deleting accounts missing from import. For example, if the threshold limit is set to 1000, and if the number of missing accounts exceeds this value, the connector does not change the status of these accounts.

     

    Note

    The account threshold check is not performed while importing accounts to child endpoints.

    From Release v23.2,

    • If an error occurs during the account import,

      • The connector evaluates the status of newly imported and existing accounts and updates the status based on the value specified in the statusColumn attribute.

      • The connector does not update the status of accounts that are missed or failed to import, and does not delete the account-entitlement mappings.

    • If you specify a decimal value for accountThresholdValue, for example 1.5, the connector considers the default value (1000).

    • During account import, if the number of missing accounts exceeds the value that you specified in accountThresholdValue, a detailed message is displayed in the Job Details page. The message includes the count of accounts missing from import and the account threshold limit that you configured in accountThresholdValue.

    • If you specify an incorrect value or no value for these configurations, for example 0 or abc for deleteLinks or REST2000 for accountThresholdValue, the connector considers the default value for these configurations.

     

  • inactivateAccountsNotInFile: Specify true or false to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, accounts that are not imported during import are marked as inactive. When set to false, accounts that are not imported during import are marked as SUSPENDED FROM IMPORT SERVICE. The default value is false. 

  • inactivateEntsNotInFeed: Specify true or false to instruct the connector to mark entitlements that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, entitlements that are not imported during import are marked as inactive. When set to false, entitlements that are not imported during import are marked as SUSPENDED FROM IMPORT SERVICE. The default value is false. 

  • entThresholdValue: Specify the threshold value that the connector can use to inactive the entitlements during import. If the number of entitlements specified exceeds the threshold value, no action is taken on the existing entitlements. Otherwise, the entitlements are set as inactive.

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

0 Kudos

Go to solution
saimeghana
Regular Contributor II
Regular Contributor II
In response to dgandhi

‎08/21/2023 11:58 AM

Hi Gandhi

We are using ADSI connector.

Thanks,

Sai Meghana 

0 Kudos

Go to solution
dgandhi
All-Star
All-Star
In response to saimeghana

‎08/21/2023 12:02 PM

https://docs.saviyntcloud.com/bundle/ADSI-v23x/page/Content/Configuring-the-Integration-for-Importin...

 

Defining Status and Threshold Configuration

Specify the account attribute mapped with the account status along with the values to be considered for imported accounts in the STATUS_THRESHOLD_CONFIG parameter. You can also specify the threshold limit enforced in full account import to prevent bulk update of missing accounts due to API errors, processing errors, or misconfiguration of import parameters such as status or account filters. The status of missing accounts are updated as inactive or deleted (SUSPENDED FROM IMPORT SERVICE) if the count is within the threshold limit.

Note

You must pass the value of statusColumn, activeStatus, and accountThresholdValue in this parameter. The statusColumn and activeStatus, parameters are mandatory.

To define the status and threshold details for account import, use a format similar to the following:

JSON
{
"statusAndThresholdConfig":
{
 "statusColumn":"customproperty24",
 "activeStatus":["512","544","66048"],
 "deleteLinks": true,
 "accountThresholdValue" : 1000,
 "correlateInactiveAccounts":true,
 "inactivateAccountsNotInFile":false
}
}
 

The attributes supported in STATUS_THRESHOLD_CONFIG are described below:

  • statusColumn: Specify the account attribute mapped with the status of the account.

  • activeStatus: Specify all possible values that indicate the active status of the accounts in the target application. All accounts that do not have these status values are marked as inactive.

    Note

    From Release v23.2 onwards, if you do not specify status values in activeStatus configuration, all accounts that were imported are marked as active.

  • deleteLinks: Specify true or false to instruct the connector to remove or retain entitlements associated with accounts missing from import. When set to true, entitlements associated with missing accounts are removed. The default value is false.

  • accountThresholdValue: Specifies the threshold value that you want the connector to use for inactivating or deleting accounts missing from import. For example, if the threshold limit is set to 1000, and if the number of missing accounts exceeds this value, the connector does not change the status of these accounts. The default value is 1000.

    Note

    The account threshold check is not performed while importing accounts to child endpoints.

    From Release v23.2 onwards,

    • If an error occurs during the account import,

      • The connector evaluates the status of newly imported and existing accounts and updates the status based on the value specified in the statusColumn attribute.

      • The connector does not update the status of accounts that are missed or failed to import, and does not delete the account-entitlement mappings.

    • If you specify a decimal value for accountThresholdValue, for example 1.5, the connector considers the default value (1000).

    • During account import, if the number of missing accounts exceeds the value that you specified in accountThresholdValue, a detailed message is displayed in the Job Details page. The message includes the count of accounts missing from import and the account threshold limit that you configured in accountThresholdValue.

    Note

    Review the following while defining this configuration:

    • If you do not want to perform an account threshold check, specify accountThresholdValue as zero or a negative value, for example 0 or -1.

    • From Release v23.2 onwards, if you specify a non-integer value or no value for these configurations, for example 0 or abc for deleteLinks or ADSI2000 for accountThresholdValue, the connector considers the default value for these configurations.

  • inactivateAccountsNotInFile: Specify true or false to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, accounts that are not imported during import are marked as inactive. The default value is false.

  • correlateInactiveAccounts: Specify true or false to instruct the connector to remove or retain users associated with inactive accounts. When set to true, users associated with inactive accounts are retained. The default value is false.

Note

Based on the values mentioned in customproperty for statusColumn, the connector matches one of the values mentioned in activeStatus. If the customproperty value for account is set as 512 and if it is present in activeStatus, then the account status is set as active. So you can configure any value other than the ones mentioned above based on the values present in Active Directory.

Note

  • During incremental import, the connector does not perform the account threshold check and also does not inactivate accounts missing from import.

  • From Release v23.2 onwards, if the JSON format used in STATUS_THRESHOLD_CONFIG is incorrect, the import job fails.

For more information, see Video: Improved Status and Threshold Functionality.

Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.

0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee
In response to sudeshjaiswal

‎08/21/2023 12:00 PM

Hello @saimeghana,

So on the target the remove account is working as expected?

So to change the status of the account you need to add the inactivateAccountsNotInFile to false to mark the account as manually suspended from the import service:

status threshold config:

Thanks

 

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
saimeghana
Regular Contributor II
Regular Contributor II

‎08/21/2023 12:06 PM

Hi @sudeshjaiswal,

yes, on target it is working.

Checked we are passing same "inactivateAccountsNotInFile": false, in status threshold config.

Thanks,

Sai Meghana

0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee
In response to saimeghana

‎08/21/2023 12:11 PM

Hello @saimeghana ,

Can you please share your status threshold config json?

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
saimeghana
Regular Contributor II
Regular Contributor II
In response to sudeshjaiswal

‎08/21/2023 11:09 PM

Hi @sudeshjaiswal ,

Please find the attached status threshold json

{
"statusAndThresholdConfig": {
"statusColumn":"customproperty7",
"activeStatus":["512","544","66048"],
"deleteLinks":false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}

Thanks,

Sai Meghana

0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎08/22/2023 12:05 AM

Hello @saimeghana,

Can you please you the below status threshold config and try,

{

  "statusAndThresholdConfig": {

    "statusColumn": "customproperty7",

    "activeStatus": [

      "512",     

      "544",

      "2048",

      "2080",

      "66048",

      "66080",

      "65536",  

      "262144",

      "262656",

      "419304",

      "524288",

      "1048576",

      "1049088",

      "1114624",

      "2097152",

      "8388608",

      "16777216"

    ],

    "inactiveStatus": [

      "514",

      "546",

      "66050",

      "66082",

      "262658",

      "262690",

      "328194",

      "328226",

      "1049090",

      "1311234"

    ],

    "deleteLinks": false,

    "accountThresholdValue": 1000,

    "correlateInactiveAccounts": true,

    "inactivateAccountsNotInFile": false

  }

}

Thanks,

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
saimeghana
Regular Contributor II
Regular Contributor II
In response to sudeshjaiswal

‎08/22/2023 09:20 AM

Hi @sudeshjaiswal,

Tried with the above statusThreshold config json, still account status was not updated to "suspended from import"

Thanks,

Sai Meghana

0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee
In response to saimeghana

‎08/22/2023 09:49 AM

Hello @saimeghana ,

Please rerun the recon again,and also trace the logs.

Thanks

If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos

Go to solution
sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎08/22/2023 10:37 PM

Hello @saimeghana,

You need to move the account to Different OU, once the account is disble,
You have to create one OU in the Target and move the account the that OU once account is disable,


For Eg. 

DISABLEACCOUNTJSON:-

                             {

  "moveUsertoOU": "OU=Disabled Accounts,DC=xxxxxx,DC=com",

  "description": "${user.systemUserName}${'Offboarded on ' +(new Date()).format('MM/dd/yyyy')}",

  "userAccountControl": "514"

}

 

Thanks.




If you find the above response useful, Kindly Mark it as "Accept As Solution".
0 Kudos
Copyright © 2024 Khoros, LLC