Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/11/2024 06:12 AM
Hi Team,
We have a LDAP based AD connector that removes group and account linking on all accounts when an account import job runs. It gets linked back when we run the access import job.
We have below config in the STATUS_THRESHOLD_CONFIG.
"deleteAccEntForActiveAccounts":false
We also have the below in the CONNECTION CONFIGURATION field at the Endpoint level.
{"conf":[{"ADDMEMBERTOENT":"TRUE"},{"ADDUSERTOENT":"TRUE"}]}
Do you see if there is any config that we are missing or is this an issue?
Thanks for your help in advance.
Regards,
Bharadwaj Y.
07/11/2024 06:45 AM
Share full STATUS_THRESHOLD_CONFIG.
07/11/2024 06:51 AM
Hi @rushikeshvartak,
Please see below:
{
"statusAndThresholdConfig":
{
"statusColumn":"customproperty24",
"activeStatus":["pending","Pending","active","Active","66048"],
"deleteLinks": false,
"accountThresholdValue" : 100000,
"correlateInactiveAccounts":true,
"inactivateAccountsNotInFile":false,
"deleteAccEntForActiveAccounts":false
}
}
Regards,
Bharadwaj Y.
07/11/2024 06:52 AM
Remove "deleteAccEntForActiveAccounts":false
}
07/11/2024 07:02 AM
Even after removing the "deleteAccEntForActiveAccounts": false, the job still behaves the same.
Regards,
Bharadwaj Y.
07/11/2024 06:53 AM
Hi @ybharadwaj319 , can you share groupmapping json
07/11/2024 07:06 AM
Hi @NM,
Please see below:
{
"importGroupHierarchy": "false",
"entitlementTypeName": "member",
"importnestedmembershipoutofscope": "false",
"groupAccountMappingAttributeName": "member",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectClass=Group)",
"incrementalTimeField": "modifyTimestamp",
"mapping": "memberHash:member_char,entitlement_value:entryDN_char,entitlement_glossary:description_char,displayName:cn_char,customProperty2:odsGenDirStrE011_char,lastscandate:modifyTimestamp_customDate--yyyyMMddHHmmss,updatedate:modifyTimestamp_customDate--yyyyMMddHHmmss,createdate:createtimestamp_customDate--yyyyMMddHHmmss,RECONCILATION_FIELD:entitlement_value,customproperty4:owner_char",
"entitlementOwnerAttribute": "owner",
"tableFieldAttribute": "accountID"
}
Regards,
Bharadwaj Y.
07/11/2024 07:08 AM
"entitlementTypeName": "memberOf",
07/11/2024 07:08 AM - edited 07/11/2024 07:11 AM
@ybharadwaj319 try this
{
"importGroupHierarchy": "false",
"entitlementTypeName": "memberOf",
"importnestedmembershipoutofscope": "false",
"groupAccountMappingAttributeName": "memberOf",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectClass=Group)",
"incrementalTimeField": "modifyTimestamp",
"mapping": "memberHash:member_char,entitlement_value:entryDN_char,entitlement_glossary:description_char,displayName:cn_char,customProperty2:odsGenDirStrE011_char,lastscandate:modifyTimestamp_customDate--yyyyMMddHHmmss,updatedate:modifyTimestamp_customDate--yyyyMMddHHmmss,createdate:createtimestamp_customDate--yyyyMMddHHmmss,RECONCILATION_FIELD:entitlement_value,customproperty4:owner_char",
"entitlementOwnerAttribute": "owner",
"tableFieldAttribute": "accountID"
}
07/12/2024 12:47 AM
Actually we defined the entitlement type as member, and hence we are using the same.
But I tried as suggested and the account import job still behaves the same even after the updating the "entitlementTypeName" and "groupAccountMappingAttributeName" to memberOf.
In fact, by doing so even the access import job does not import any members due to conflict in entitlement type.
Regards,
Bharadwaj Y.
07/12/2024 08:29 AM
Did you also renamed entitlement type name ?
07/15/2024 12:13 AM
Yes I renamed it too.
Regards,
Bharadwaj Y.
07/15/2024 07:24 AM
Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .
‼️‼️⚠️Do not upload any attachments that contain sensitive information, such as IP Addresses, URLs, Company/Employee Names, Email Addresses, etc.⚠️‼️‼️
07/19/2024 04:49 AM
@rushikeshvartak please see below, if this helps.
I scoped the objectFilter to a single user and tested the account import.
2024-07-19T16:50:00+05:30-ecm-worker-services.ImportUtilityService-quartzScheduler_Worker-6-wtxt7-DEBUG-Start takeAccountsNotInImportAction: params - [jobID:*********, importType:full, statusAndThresholdJSONMap:[statusColumn:customproperty24, activeStatus:[pending, Pending, active, Active, 66048], deleteLinks:false, accountThresholdValue:1000000, correlateInactiveAccounts:true, inactivateAccountsNotInFile:false, deleteAccEntForActiveAccounts:false], endpoint:****************, isApiSuccess:true, jobHistoryMap:[Job-Type:full, Import-Type:accounts, LDAP-Attributes-Imported:[***************], INFO-retryWait-validation:retryWait value is null, setting it to default value 2 seconds, INFO-retryCount-validation:retryCount value is null, setting it to default value 3 , Accounts-Updated:1, Account-Entitlement-Mapping-Deleted:4, Accounts-Activated:0, Accounts-Inactivated:0], statusColumn:customproperty24, activeStatus:[pending, Pending, active, Active, 66048], inactiveStatus:null, deleteLinks:false, correlateInactiveAccounts:true, inactivateAccountsNotInFile:false, setReferenceAccountNull:null, lockedStatusColumn:null, lockedStatusMapping:null, inactiveAccountSet:[], actionableAccountsList:[]]
Regards,
Bharadwaj Y.
07/15/2024 05:48 AM
@ybharadwaj319 , can you share your connection configuration ss
07/19/2024 12:05 AM - last edited on 07/19/2024 01:13 AM by Sunil
Please see below, but let me know if you are looking for something more specific.
Regards,
Bharadwaj Y.
[This message has been edited by moderator to mask company logo]
07/19/2024 12:22 AM
Hi @ybharadwaj319 , you should change LDAP_OR_AD field to AD
and configuration below that as well if you can share...
07/29/2024 05:18 AM
We are also facing the same issue @ybharadwaj319 you got any resolution for this issue?
07/29/2024 07:45 AM
@sonamchikorde not yet, I have also created a ticket with Saviynt for the same, but we made no progress yet.
07/29/2024 07:48 AM
Did you validated in v24.7
07/29/2024 09:18 AM
We do not have our environment upgraded to v24.7.
But do you see this an issue with the other environments?
Is there any documentation that would help?
Regards,
Bharadwaj Y.
07/29/2024 11:40 AM
07/30/2024 04:58 AM
We validated in v24.7, issue still exists.
07/30/2024 08:53 PM
It was working before ?
08/01/2024 04:50 AM
No, it was not working before also.