Saviynt Forums

ybharadwaj319 · ‎07/11/2024

Hi Team,

We have a LDAP based AD connector that removes group and account linking on all accounts when an account import job runs. It gets linked back when we run the access import job.

We have below config in the STATUS_THRESHOLD_CONFIG.

"deleteAccEntForActiveAccounts":false

We also have the below in the CONNECTION CONFIGURATION field at the Endpoint level.

{"conf":[{"ADDMEMBERTOENT":"TRUE"},{"ADDUSERTOENT":"TRUE"}]}

Do you see if there is any config that we are missing or is this an issue?

Thanks for your help in advance.

Regards,

Bharadwaj Y.

rushikeshvartak · ‎07/11/2024

Share full STATUS_THRESHOLD_CONFIG.

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ybharadwaj319 · ‎07/11/2024

Hi @rushikeshvartak,

Please see below:

{
"statusAndThresholdConfig":
{
"statusColumn":"customproperty24",
"activeStatus":["pending","Pending","active","Active","66048"],
"deleteLinks": false,
"accountThresholdValue" : 100000,
"correlateInactiveAccounts":true,
"inactivateAccountsNotInFile":false,
"deleteAccEntForActiveAccounts":false
}
}

Regards,

Bharadwaj Y.

rushikeshvartak · ‎07/11/2024

Remove "deleteAccEntForActiveAccounts":false
}

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ybharadwaj319 · ‎07/11/2024

Even after removing the "deleteAccEntForActiveAccounts": false, the job still behaves the same.

Regards,

Bharadwaj Y.

NM · ‎07/11/2024

Hi @ybharadwaj319 , can you share groupmapping json

ybharadwaj319 · ‎07/11/2024

Hi @NM,

Please see below:

{
"importGroupHierarchy": "false",
"entitlementTypeName": "member",
"importnestedmembershipoutofscope": "false",
"groupAccountMappingAttributeName": "member",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectClass=Group)",
"incrementalTimeField": "modifyTimestamp",
"mapping": "memberHash:member_char,entitlement_value:entryDN_char,entitlement_glossary:description_char,displayName:cn_char,customProperty2:odsGenDirStrE011_char,lastscandate:modifyTimestamp_customDate--yyyyMMddHHmmss,updatedate:modifyTimestamp_customDate--yyyyMMddHHmmss,createdate:createtimestamp_customDate--yyyyMMddHHmmss,RECONCILATION_FIELD:entitlement_value,customproperty4:owner_char",
"entitlementOwnerAttribute": "owner",
"tableFieldAttribute": "accountID"
}

Regards,

Bharadwaj Y.

rushikeshvartak · ‎07/11/2024

Refer https://forums.saviynt.com/t5/identity-governance/groups-not-imported-for-ldap-connection-using-grou...

"entitlementTypeName": "memberOf",

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

NM · ‎07/11/2024

@ybharadwaj319 try this

{

"importGroupHierarchy": "false",

"entitlementTypeName": "memberOf",

"importnestedmembershipoutofscope": "false",

"groupAccountMappingAttributeName": "memberOf",

"performGroupAccountLinking": "true",

"groupObjectClass": "(objectClass=Group)",

"incrementalTimeField": "modifyTimestamp",

"mapping": "memberHash:member_char,entitlement_value:entryDN_char,entitlement_glossary:description_char,displayName:cn_char,customProperty2:odsGenDirStrE011_char,lastscandate:modifyTimestamp_customDate--yyyyMMddHHmmss,updatedate:modifyTimestamp_customDate--yyyyMMddHHmmss,createdate:createtimestamp_customDate--yyyyMMddHHmmss,RECONCILATION_FIELD:entitlement_value,customproperty4:owner_char",

"entitlementOwnerAttribute": "owner",

"tableFieldAttribute": "accountID"

}

ybharadwaj319 · ‎07/12/2024

@NM @rushikeshvartak ,

Actually we defined the entitlement type as member, and hence we are using the same.

But I tried as suggested and the account import job still behaves the same even after the updating the "entitlementTypeName" and "groupAccountMappingAttributeName" to memberOf.

In fact, by doing so even the access import job does not import any members due to conflict in entitlement type.

Regards,

Bharadwaj Y.

rushikeshvartak · ‎07/12/2024

Did you also renamed entitlement type name ?

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ybharadwaj319 · ‎07/15/2024

Yes I renamed it too.

Regards,

Bharadwaj Y.

rushikeshvartak · ‎07/15/2024

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .

‼️‼️⚠️Do not upload any attachments that contain sensitive information, such as IP Addresses, URLs, Company/Employee Names, Email Addresses, etc.⚠️‼️‼️

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ybharadwaj319 · ‎07/19/2024

@rushikeshvartak please see below, if this helps.

I scoped the objectFilter to a single user and tested the account import.

2024-07-19T16:50:00+05:30-ecm-worker-services.ImportUtilityService-quartzScheduler_Worker-6-wtxt7-DEBUG-Start takeAccountsNotInImportAction: params - [jobID:*********, importType:full, statusAndThresholdJSONMap:[statusColumn:customproperty24, activeStatus:[pending, Pending, active, Active, 66048], deleteLinks:false, accountThresholdValue:1000000, correlateInactiveAccounts:true, inactivateAccountsNotInFile:false, deleteAccEntForActiveAccounts:false], endpoint:****************, isApiSuccess:true, jobHistoryMap:[Job-Type:full, Import-Type:accounts, LDAP-Attributes-Imported:[***************], INFO-retryWait-validation:retryWait value is null, setting it to default value 2 seconds, INFO-retryCount-validation:retryCount value is null, setting it to default value 3 , Accounts-Updated:1, Account-Entitlement-Mapping-Deleted:4, Accounts-Activated:0, Accounts-Inactivated:0], statusColumn:customproperty24, activeStatus:[pending, Pending, active, Active, 66048], inactiveStatus:null, deleteLinks:false, correlateInactiveAccounts:true, inactivateAccountsNotInFile:false, setReferenceAccountNull:null, lockedStatusColumn:null, lockedStatusMapping:null, inactiveAccountSet:[], actionableAccountsList:[]]

Regards,

Bharadwaj Y.

NM · ‎07/15/2024

@ybharadwaj319 , can you share your connection configuration ss

ybharadwaj319 · ‎07/19/2024

Please see below, but let me know if you are looking for something more specific.

Regards,

Bharadwaj Y.

[This message has been edited by moderator to mask company logo]

NM · ‎07/19/2024

Hi @ybharadwaj319 , you should change LDAP_OR_AD field to AD

and configuration below that as well if you can share...

sonamchikorde · ‎07/29/2024

We are also facing the same issue @ybharadwaj319 you got any resolution for this issue?

ybharadwaj319 · ‎07/29/2024

@sonamchikorde not yet, I have also created a ticket with Saviynt for the same, but we made no progress yet.

rushikeshvartak · ‎07/29/2024

Did you validated in v24.7

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

ybharadwaj319 · ‎07/29/2024

We do not have our environment upgraded to v24.7.

But do you see this an issue with the other environments?

Is there any documentation that would help?

Regards,

Bharadwaj Y.

rushikeshvartak · ‎07/29/2024

Just to cross check if its not version issue validate in latest version

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

sonamchikorde · ‎07/30/2024

We validated in v24.7, issue still exists.

rushikeshvartak · ‎07/30/2024

It was working before ?

Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.

sonamchikorde · ‎08/01/2024

No, it was not working before also.

Saviynt Forums

LDAP AD Connector Accounts Import Job removes group linking