and more in a single search tool across platforms. Read the announcement here. |
03/14/2024 11:40 AM - edited 03/14/2024 11:41 AM
Hello,
We've encountered an issue regarding the account status within our Saviynt endpoint, and we're seeking some insights or guidance on resolving it.
We're utilizing a REST connector to interface with an on-premises Active Directory Exchange Server. Our integration involves invoking PowerShell scripts. We're employing ImportAccountEntJSON to reconcile user account statuses from the target system.
This process has been working in these areas:
However, we've hit a roadblock when it comes to handling accounts that are not found on the target system. According to our expectations, these accounts should be automatically switched to a SUSPENDED status in Saviynt. However, upon checking the accounts tab in the endpoint within Saviynt, we're not seeing any accounts listed as suspended.
We've double-checked our configurations and mappings, but we're still unable to determine why the suspended status isn't reflecting accurately in Saviynt.
ImportAccountEntJSON
{
"accountParams": {
"connection": "********",
"processingType": "SequentialAndIterative",
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "********",
"httpParams": "{\"Script\":\"\\$username = '********'; \\$password = '${connection.PS_Password}' | ConvertTo-SecureString -AsPlainText -Force; \\$mycred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ('********', \\$password); \\$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri '********' -Credential \\$mycred -Authentication kerberos; Import-PSSession \\$Session -DisableNameChecking -AllowClobber; Get-RemoteMailbox -IgnoreDefaultScope -ResultSize Unlimited | Select Name,SamAccountName,UserPrincipalName,AddressListMembership,Alias,DisplayName,PrimarySmtpAddress,Identity,Guid,RecipientType,RecipientTypeDetails,RemoteRecipientType\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "POST"
},
"statusAndThresholdConfig": {
"statusColumn": "customproperty9",
"activeStatus": [
"ProvisionMailbox"
],
"deleteLinks": true,
"accountThresholdValue": 400,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": true
},
"keyField": "accountID",
"colsToPropsMap": {
"name": "Name~#~char",
"accountID": "SamAccountName~#~char",
"displayname": "DisplayName~#~char",
"customproperty1": "UserPrincipalName~#~char",
"customproperty2": "PrimarySmtpAddress~#~char",
"customproperty3": "Alias~#~char",
"customproperty4": "RecipientType~#~char",
"customproperty5": "RecipientTypeDetails~#~char",
"customproperty6": "Identity~#~char",
"customproperty7": "Guid~#~char",
"customproperty8": "AddressListMembership~#~char",
"customproperty9": "RemoteRecipientType~#~char"
}
}
}
}
}
Sample Powershell response for one user (running the PS script on the server):
RemoteRecipientType : ProvisionMailbox
Name : Hire60 Saviynt60
SamAccountName : hirsavi2
UserPrincipalName : hirsavi2@********.com
AddressListMembership : {\All Recipients(VLV), \Default Global Address List, \All Users}
Alias : hirsavi2
DisplayName : Hire60 Saviynt60
PrimarySmtpAddress : hirsavi2@********.com
Identity : ********.com/********/********/Hire60 Saviynt60
Guid : 5f2d60f1-991c-4ca8-9f96-945ce0ee50be
RecipientType : MailUser
RecipientTypeDetails : RemoteUserMailbox
03/14/2024 08:08 PM
Does Status threshold config is added?
03/15/2024 02:45 PM
Yes, see this part in the code:
"statusAndThresholdConfig": {
"statusColumn": "customproperty9",
"activeStatus": [
"ProvisionMailbox"
]...
For an account that does not exist in the target anymore, the response from the target will not contain that user's account info. If this user account is not found, it should show as SUSPENDED. It is not working as of now.
03/17/2024 06:10 PM
Does accounts have customproperty9?
03/18/2024 08:07 AM
Yes, for a sample account I just created using the below test flow:
Create mailbox account from ARS -> Account status turns to ‘Manually Provisioned’ -> Perform Import -> Account status turns to ‘Active’ -> Delete account from target -> Perform import -> Account status stays as ‘Active’
This user has customproperty9 populated in the account from when the user was active on target, now that it is gone from target, it will not be found in the system at all.
03/15/2024 02:21 AM
"inactivateAccountsNotInFile":false
it should false, if pass true it change active to inactive ,want suspend need give false
03/15/2024 02:43 PM
Hi there,
I tried this, it's probably helping, but it's still not working yet.
03/21/2024 02:32 PM
Anyone knows how Saviynt is interpreting the data when running an import? Does it take the list of users from the Powershell response and correlate them with the respective accounts on Saviynt? Or does it search the existing accounts in Saviynt on the Powershell response, and if the account is not found, suspend it?
03/21/2024 06:41 PM
Ideally it takes all accounts from import and if any account does not comes from import considered as SFIS