Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/20/2023 11:55 PM
Hi Team,
We are facing an issue in Remove account json for ADSI connector.
We are trying to pass the "UserAccountControl": 514 in Remove account json but the updates are not pushed into accounts.
Sample Json:
{
"objects": [
{
"distinguishedName": "${account.accountID}",
"removeAction": "DELETE",
"deleteChildObjects": false
}
],
"attributes": {
"userAccountControl": 514
}
}
Thanks,
Sai Meghana
Solved! Go to Solution.
08/21/2023 12:27 AM
Hello @saimeghana,
Can you please ensure that Password Policy is specified in Admin > Identity Repository >Security System > Policy Rule.
Thanks,
08/21/2023 01:16 AM
08/21/2023 01:29 AM
Hello @saimeghana,
Can you try with this,
{
"objects":[
{
"objectClasses":[
"user"
],
"distinguishedName":"${account.accountID?.replace('\\', '\\\\')?.replace('/', '\\/')}",
"password":"${password}",
"deleteAllGroups":false,
"attributes":{
"userAccountControl":514
}
}
]
}
Thanks,
08/21/2023 10:03 AM
Hi @sudeshjaiswal,
Tried with above json it is passing the 514 to the accounts, but the status of the account should change to "suspended from import" after the recon but it is changing to inactive.
Thanks,
Sai Meghana
08/21/2023 11:07 AM
inactivateAccountsNotInFile
Specify the account attribute mapped with the account status along with the values to be considered for imported accounts in the STATUS_THRESHOLD_CONFIG parameter. You can also specify the threshold limit enforced in full account import to prevent bulk update of missing accounts due to API errors, processing errors, or misconfiguration of import parameters such as status or account filters. The status of missing accounts are updated as inactive or deleted (SUSPENDED FROM IMPORT SERVICE) if the count is within the threshold limit.
This parameter takes precedence over the value in the statusAndThresholdConfig variable specified in the ImportAccountEntJSON parameters.
To specify status and threshold configurations for REST, use the following example:
{ "statusAndThresholdConfig": { "accountThresholdValue": 100, "inactivateAccountsNotInFile": true, "statusColumn": "customproperty30", "activeStatus": [ "ENABLE", "PROVISIONED" ], "inactivateEntsNotInFeed": true, "entThresholdValue": { "entType": { "Group": { "ent": 100 }, "Role": { "ent": 100 } } } } }
The attributes supported in STATUS_THRESHOLD_CONFIG are described below:
statusColumn: Specify the account attribute mapped with the status of the account.
activeStatus: Specify all possible values that indicate the active status of the accounts in the target application. All accounts that do not have these status values are marked as inactive.
From Release v23.2, if you do not specify status values in activeStatus configurations, all accounts that were imported are marked as active.
accountThresholdValue: Specify the threshold value that you want the connector to use for inactivating or deleting accounts missing from import. For example, if the threshold limit is set to 1000, and if the number of missing accounts exceeds this value, the connector does not change the status of these accounts.
The account threshold check is not performed while importing accounts to child endpoints.
From Release v23.2,
If an error occurs during the account import,
The connector evaluates the status of newly imported and existing accounts and updates the status based on the value specified in the statusColumn attribute.
The connector does not update the status of accounts that are missed or failed to import, and does not delete the account-entitlement mappings.
If you specify a decimal value for accountThresholdValue, for example 1.5, the connector considers the default value (1000).
During account import, if the number of missing accounts exceeds the value that you specified in accountThresholdValue, a detailed message is displayed in the Job Details page. The message includes the count of accounts missing from import and the account threshold limit that you configured in accountThresholdValue.
If you specify an incorrect value or no value for these configurations, for example 0 or abc for deleteLinks or REST2000 for accountThresholdValue, the connector considers the default value for these configurations.
inactivateAccountsNotInFile: Specify true or false to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, accounts that are not imported during import are marked as inactive. When set to false, accounts that are not imported during import are marked as SUSPENDED FROM IMPORT SERVICE. The default value is false.
inactivateEntsNotInFeed: Specify true or false to instruct the connector to mark entitlements that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, entitlements that are not imported during import are marked as inactive. When set to false, entitlements that are not imported during import are marked as SUSPENDED FROM IMPORT SERVICE. The default value is false.
entThresholdValue: Specify the threshold value that the connector can use to inactive the entitlements during import. If the number of entitlements specified exceeds the threshold value, no action is taken on the existing entitlements. Otherwise, the entitlements are set as inactive.
Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
08/21/2023 11:58 AM
Hi Gandhi
We are using ADSI connector.
Thanks,
Sai Meghana
08/21/2023 12:02 PM
Specify the account attribute mapped with the account status along with the values to be considered for imported accounts in the STATUS_THRESHOLD_CONFIG parameter. You can also specify the threshold limit enforced in full account import to prevent bulk update of missing accounts due to API errors, processing errors, or misconfiguration of import parameters such as status or account filters. The status of missing accounts are updated as inactive or deleted (SUSPENDED FROM IMPORT SERVICE) if the count is within the threshold limit.
You must pass the value of statusColumn, activeStatus, and accountThresholdValue in this parameter. The statusColumn and activeStatus, parameters are mandatory.
To define the status and threshold details for account import, use a format similar to the following:
{ "statusAndThresholdConfig": { "statusColumn":"customproperty24", "activeStatus":["512","544","66048"], "deleteLinks": true, "accountThresholdValue" : 1000, "correlateInactiveAccounts":true, "inactivateAccountsNotInFile":false } }
The attributes supported in STATUS_THRESHOLD_CONFIG are described below:
statusColumn: Specify the account attribute mapped with the status of the account.
activeStatus: Specify all possible values that indicate the active status of the accounts in the target application. All accounts that do not have these status values are marked as inactive.
From Release v23.2 onwards, if you do not specify status values in activeStatus configuration, all accounts that were imported are marked as active.
deleteLinks: Specify true or false to instruct the connector to remove or retain entitlements associated with accounts missing from import. When set to true, entitlements associated with missing accounts are removed. The default value is false.
accountThresholdValue: Specifies the threshold value that you want the connector to use for inactivating or deleting accounts missing from import. For example, if the threshold limit is set to 1000, and if the number of missing accounts exceeds this value, the connector does not change the status of these accounts. The default value is 1000.
The account threshold check is not performed while importing accounts to child endpoints.
From Release v23.2 onwards,
If an error occurs during the account import,
The connector evaluates the status of newly imported and existing accounts and updates the status based on the value specified in the statusColumn attribute.
The connector does not update the status of accounts that are missed or failed to import, and does not delete the account-entitlement mappings.
If you specify a decimal value for accountThresholdValue, for example 1.5, the connector considers the default value (1000).
During account import, if the number of missing accounts exceeds the value that you specified in accountThresholdValue, a detailed message is displayed in the Job Details page. The message includes the count of accounts missing from import and the account threshold limit that you configured in accountThresholdValue.
Review the following while defining this configuration:
If you do not want to perform an account threshold check, specify accountThresholdValue as zero or a negative value, for example 0 or -1.
From Release v23.2 onwards, if you specify a non-integer value or no value for these configurations, for example 0 or abc for deleteLinks or ADSI2000 for accountThresholdValue, the connector considers the default value for these configurations.
inactivateAccountsNotInFile: Specify true or false to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, accounts that are not imported during import are marked as inactive. The default value is false.
correlateInactiveAccounts: Specify true or false to instruct the connector to remove or retain users associated with inactive accounts. When set to true, users associated with inactive accounts are retained. The default value is false.
Based on the values mentioned in customproperty for statusColumn, the connector matches one of the values mentioned in activeStatus. If the customproperty value for account is set as 512 and if it is present in activeStatus, then the account status is set as active. So you can configure any value other than the ones mentioned above based on the values present in Active Directory.
During incremental import, the connector does not perform the account threshold check and also does not inactivate accounts missing from import.
From Release v23.2 onwards, if the JSON format used in STATUS_THRESHOLD_CONFIG is incorrect, the import job fails.
For more information, see Video: Improved Status and Threshold Functionality.
Thanks,
Devang Gandhi
If this reply answered your question, please Accept As Solution and give Kudos to help others who may have a similar problem.
08/21/2023 12:00 PM
Hello @saimeghana,
So on the target the remove account is working as expected?
So to change the status of the account you need to add the inactivateAccountsNotInFile to false to mark the account as manually suspended from the import service:
status threshold config:
inactivateAccountsNotInFile: Specify true or false to instruct the connector to mark accounts that are not imported during import as inactive or SUSPENDED FROM IMPORT SERVICE. When set totrue, accounts that are not imported during import are marked as inactive. The default value is false.
Thanks
08/21/2023 12:06 PM
Hi @sudeshjaiswal,
yes, on target it is working.
Checked we are passing same "inactivateAccountsNotInFile": false, in status threshold config.
Thanks,
Sai Meghana
08/21/2023 12:11 PM
Hello @saimeghana ,
Can you please share your status threshold config json?
Thanks
08/21/2023 11:09 PM
Hi @sudeshjaiswal ,
Please find the attached status threshold json
{
"statusAndThresholdConfig": {
"statusColumn":"customproperty7",
"activeStatus":["512","544","66048"],
"deleteLinks":false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}
Thanks,
Sai Meghana
08/22/2023 12:05 AM
Hello @saimeghana,
Can you please you the below status threshold config and try,
{
"statusAndThresholdConfig": {
"statusColumn": "customproperty7",
"activeStatus": [
"512",
"544",
"2048",
"2080",
"66048",
"66080",
"65536",
"262144",
"262656",
"419304",
"524288",
"1048576",
"1049088",
"1114624",
"2097152",
"8388608",
"16777216"
],
"inactiveStatus": [
"514",
"546",
"66050",
"66082",
"262658",
"262690",
"328194",
"328226",
"1049090",
"1311234"
],
"deleteLinks": false,
"accountThresholdValue": 1000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}
Thanks,
08/22/2023 09:20 AM
Hi @sudeshjaiswal,
Tried with the above statusThreshold config json, still account status was not updated to "suspended from import"
Thanks,
Sai Meghana
08/22/2023 09:49 AM
Hello @saimeghana ,
Please rerun the recon again,and also trace the logs.
Thanks
08/22/2023 10:37 PM
Hello @saimeghana,
You need to move the account to Different OU, once the account is disble,
You have to create one OU in the Target and move the account the that OU once account is disable,
For Eg.
DISABLEACCOUNTJSON:-
{
"moveUsertoOU": "OU=Disabled Accounts,DC=xxxxxx,DC=com",
"description": "${user.systemUserName}${'Offboarded on ' +(new Date()).format('MM/dd/yyyy')}",
"userAccountControl": "514"
}
Thanks.