Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

JSON issue resulting in duplicate account

do12
New Contributor III
New Contributor III

Hi

I seem to have an issue with an application where access requests result in duplicate accounts. One is correctly setup in Saviynt and shows manually provisioned when I run the provisioning job. When I run the accounts import job it doesn't link up and ends up with a duplicate showing. Can you check my JSON for any obvious errors please. I've included the ImportAccountEntJSON and the AddAccessJSON where accounts are created (no createaccountJSON or task as that is auto approved and you can't select an account with no entitlements).

26 REPLIES 26

NM
Honored Contributor II
Honored Contributor II

Hi @do12 , in importaccount json you are mapping account id with ID of applications but as you are using add access create account account id will be having different format.

To solve the issue either use create account json and map id recieved from API response

Or in import json map account id with name/username.

Account id field should match at the time of recon and while creating account.

rushikeshvartak
All-Star
All-Star

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

do12
New Contributor III
New Contributor III

Thank you both. I've updated the import json to map account id with name/username. This has worked for now while I attempt a better solution of adding a CreateAccountJSON using your advice.

You should map accountidpath in CreateAccountJSON .

If you need help share api response for ceate account & json


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

do12
New Contributor III
New Contributor III

Hi,

maybe you can help, I've got a CreateAccountJSON and I've updated my ImportAccountEntJSON and I'm still getting two accounts created. Probably something obvious I'm missing, if you spot it please let me know. Both attached here.

 

NM
Honored Contributor II
Honored Contributor II

@do12 ,

can you share create account postman response?

do12
New Contributor III
New Contributor III

here it is:

{
    "userDetail": [
        {
            "uniqueID": "cd8b02fb-23ee-43f9-9513-d66cdb71513c",
            "name": "Test User",
            "description": "",
            "userType": "Interactive",
            "isEnabled": true,
            "externalAuthProviderName": "AzureAD",
            "externalUserName": "test@test.com",
            "email": "test@test.com",
            "text1": "",
            "text2": "",
            "text3": "",
            "text4": ""
        }
    ]
}

NM
Honored Contributor II
Honored Contributor II

Use @do12  this

 

   {
"accountIdPath": "Call1.message.userDetail[0].uniqueID", "responseColsToPropsMap": { "accountID": "Call1.message.userDetail[0].uniqueID~#~char"}, "call": [ { "name": "Call1", "connection": "acctAuth", "url": "https://****.****cloud.com/****Api/api/DataProvider/GetAdoDataSetForAdapter?api-version=5.2.0", "httpMethod": "POST", "httpParams": "{\"BaseWebServerUrl\": \"https://****.****cloud.com/****Web\",\"ApplicationName\": \"Dev\",\"WorkspaceName\": \"Default\",\"AdapterName\": \"REST_CALL\",\"ResultDataTableName\": \"RestAPIResults\",\"CustomSubstVarsAsCommaSeparatedPairs\": \"Method = Add, UserName = ${user.firstname} ${user.lastname}, UserEmail = ${user.email}\"}", "httpHeaders": { "Authorization": "Bearer ${connection.token}" }, "httpContentType": "application/json", "successResponses": { "statusCode": [ 201, 200 ] }, "unsuccessResponses": { "statusCode": [ 400, 401, 404, 403, 500 ] } } ]
}

 

do12
New Contributor III
New Contributor III

Its still showing 2 accounts with same AccountID when I run provisioning job then import accounts job.  Data analyser query shown as attachment.

Call1.message.userDetail.uniqueID

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

do12
New Contributor III
New Contributor III

that's what I started with I attached it earlier

Share logs after wsretry of create account


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

do12
New Contributor III
New Contributor III

logs attached

NM
Honored Contributor II
Honored Contributor II

@do12 trigger the import job again

do12
New Contributor III
New Contributor III

one is deleted now, screenshot attached.  Doesn't look like the right outcome for audit purposes.

NM
Honored Contributor II
Honored Contributor II

@do12 that is the correct behaviour try to create new account from saviynt and see..

do12
New Contributor III
New Contributor III

Thank you, as I've not worked on this platform for long I didn't want to run into any issues with this behaviour in the future but if you're saying its correct I'll accept it.

NM
Honored Contributor II
Honored Contributor II

Hi @do12 just to test everything is working like i mentioned in my previous comment.

Create an account via saviynt and then run an import job and see if it shows 2 account .. if not then it looks good.

 

Please click on kudos button and accept the latest solution 

Thanks.

This is not correct behavior.

  • If user is created from saviynt then account id also should be populated 
  • if user created from saviynt marked as SFIS then it will be controls issue ( out of band / rogue entry
    )
  • You need to fix accountIdPath

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

do12
New Contributor III
New Contributor III

I followed all your steps and config and like I mentioned running import job once shows two accounts one as manually provisioned and one as Active. Then running the import job a second time sets the manually provisioned account to SUSPENDED FROM IMPORT SERVICE.  Previous screenshots I supplied are still valid.

NM
Honored Contributor II
Honored Contributor II

@do12 then that not right ..it is still creating 2 accounts .

Is account id matching for both the accounts?

do12
New Contributor III
New Contributor III

they look identical. Here's attributes for both accounts:

ACCOUNTKEYACCOUNTIDARSTASKKEYCREATED_ONCREATORDISPLAYNAMENAMESTATUS
142144cc173c5a-a6a4-4fed-86e7-b88b7c61d155187630/08/2024 16:09System created Saviynt OneStream7-Deleted on-08-30-2024 16:13SUSPENDED FROM IMPORT SERVICE
142150cc173c5a-a6a4-4fed-86e7-b88b7c61d155   Saviynt OneStream7Saviynt.OneStream7@testcase.com1

Your account name is email in import json vs account name is name only during account creation. Please fix them


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

do12
New Contributor III
New Contributor III

I've changed ImportAccountEntJSON and its working to create only one account now. However I'm unsure of how to adjust acctEntParams as entitlements are not mapping. What do I put for acctKeyField and acctIdPath now?

ImportAccountEntJSON attached and Postman response for group membership here:

{
    "groupMembership": [
        {
            "groupID": "f45e19dc-4a0b-4550-b9a8-580ffc71462d",
            "groupName": "Super_User",
            "description": "",
            "type": "User",
            "memberName": "Mick Jagger",
            "memberEmail": "mick.jagger@email.com"
        }]}

 

 

Please create new thread for new issue 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

NM
Honored Contributor II
Honored Contributor II

Hi @do12 , you haven't defined acctentparam define that ..

Do you have seperate call for each entitlement or for each account?