LDAP Entitlement Account Import Mapping

tpolin
New Contributor
New Contributor

We have an issue importing entitlements using groupImportMapping for an LDAP endpoint type (we are connecting to RedHat 11). At this point, provisioning groups and memberships work, but the Saviynt reconciliation (import) only brings back entitlements without the members.

This is our current groupImportMapping content, thanks to the various forum postings:

{
"entitlementTypeName":"memberOf",
"performGroupAccountLinking": "true",
"importGroupHierarchy": "true",
"incrementalTimeField": "",
"groupObjectClass": "(objectClass=groupOfUniqueNames)",
"groupAccountMappingAttributeName":"uniqueMember",
"mapping": "customProperty1:owner_char,memberHash:uniqueMember_char,customProperty3:entrydn_char,createdate:createTimestamp_date,customProperty4:creatorsName_char,description:description_char,entitlement_glossary:description_char,displayName:cn_char,customProperty5:objectClass_char,customProperty6:entryuuid_char,entitlement_value:entrydn_char,updatedate:modifyTimestamp_date,RECONCILATION_FIELD:entitlement_value"
}

  1. In all documentation that we've seen, in the mapping subsection, the memberHash is always listed as "memberHash:member_char", which is not valid for an LDAP target, which is why we changed it to "memberHash:uniqueMember_char" (in AD the attribute is "member", but in RedHat, it's "uniqueMember"). Could you explain the purpose of this mapping? Just seems to return a number. Is it needed? And what should it be in our case for RedHat?
  2. The entitlements themselves are reconciled fine into Saviynt with an Active status, which is a good sign, but what mapping are we missing to bring the memberships back into the entitlement's "Accounts" tab? Note that when we add a mapping along the lines of "customPropert6:uniqueMember_char", we get a CSV list of the members (RedHat People DN formats), which confirms there are members and Saviynt can access them. But how do we get them to show up in that Accounts tab?

Thanks!

6 REPLIES 6

SumathiSomala
Regular Contributor III
Regular Contributor III

@tpolin Could you please refer the below trouble shooting guide 

Troubleshooting (saviyntcloud.com)

Also share the ACCOUNT_ATTRIBUTE mapping.

Also Could you please confirm the entitlement type name in groupimportmapping JSON 

"entitlementTypeName":"memberOf",

If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
Regards,
Sumathi Somala

tpolin
New Contributor
New Contributor

Thanks. I checked the troubleshooting page, made essentially no changes other than case to the ACCOUNT_ATTRIBUTE content, reran the recon job, but still pulled in no accounts.  This is the ACCOUNT_ATTRIBUTE:

[
ACCOUNTCLASS::objectClass#String,
ACCOUNTID::entrydn#String,
DESCRIPTION::xxxxxFullLegalName#String,
customproperty1::xxxxxAlternativeContactId#String,
customproperty2::xxxxxPrimaryBuildingDesc#String,
customproperty3::xxxxxHrCenterCode#String,
customproperty4::cn#String,
customproperty5::xxxxxInfosecStatus#String,
customproperty6::xxxxxDepartmentName#String,
customproperty7::departmentNumber#String,
customproperty8::xxxxxManagerId#String,
customproperty9::xxxxxDivisionCode#String,
customproperty10::mail#String,
customproperty11::xxxxxEmailAlias#String,
customproperty12::employeeNumber#String,
customproperty13::xxxxxFinCenterCode#String,
customproperty14::givenName#String,
customproperty15::xxxxxJobCategory#String,
customproperty16::xxxxxJobFamilyDescription#String,
customproperty17::xxxxxJobLevel#String,
customproperty18::sn#String,
customproperty19::xxxxxPrimarySiteDescription#String,
customproperty20::xxxxxPayrollDistributionCode#String,
customproperty21::xxxxxManagementLevel#String,
customproperty22::xxxxxMiddleInitial#String,
customproperty23::xxxxxMobileEmail#String,
customproperty24::xxxxxNonEmployeeOrganization#String,
customproperty25::xxxxxOtherLocationDescription#String,
customproperty26::xxxxxPersonType#String,
customproperty27::telephoneNumber#String,
customproperty28::physicalDeliveryOfficeName#String,
customproperty29::xxxxxPrimaryLocationDescription#String,
customproperty30::xxxxxTelephoneNumber-E164#String,
customproperty31::xxxxxTelephoneNumberExt#String,
customproperty32::xxxxxResponsiblePerson#String,
customproperty33::xxxxxSecondaryBuilding#String,
customproperty34::xxxxxSecondaryLocationDescription#String,
customproperty35::xxxxxSecondaryTelephoneNumber#String,
customproperty36::xxxxxPersonStatus#String,
customproperty37::xxxxxSecondaryRoom#String,
customproperty38::xxxxxSecondarySiteCode#String,
customproperty39::xxxxxSecretaryId#String,
customproperty41::xxxxxCurrentHireDate#String,
customproperty42::xxxxxSuperDivision#String,
customproperty43::xxxxxTeleWorker#String,
customproperty44::xxxxxLevelOfEffortDescription#String,
customproperty45::entryUUID#String,
DISPLAYNAME::xxxxxPhoneBookDisplayName#String,
NAME::uid#String,
STATUS::xxxxxPersonStatus#String,
UPDATEDATE::modifyTimestamp#date,
CREATED_ON::createTimestamp#date,
RECONCILATION_FIELD::customproperty45
]

Screenshots from the Entitlement Type page:

tpolin_0-1696421301236.png

And its View Details page:

tpolin_1-1696421406715.png

Regarding the trim() suggestion from the troubleshooting guide, not sure it applies to us, but not sure where I would add the ".trim()" suffix. Could you please clarify?

Thanks, Tessa

 

 

SumathiSomala
Regular Contributor III
Regular Contributor III

@tpolin Could you please try below possibilities in ACCOUNT_ATTRIBUTE mapping and run the import jobs

ACCOUNTID::distinguishedName#String,
ACCOUNTID::nameinnamespace#String,
ACCOUNTID::dn#String

and RECONCILATION_FIELD must me unique during import

If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
Regards,
Sumathi Somala

The following ACCOUNT_ATTRIBUTE mapping does not work. It produces no resulting Account ID:

  • ACCOUNTID::distinguishedName#String,
  • ACCOUNTID::dn#String

The following mapping does pull back the corresponding Account ID at the RedHat Person level, but still no Accounts are listed in the Accounts tab of the entitlement.

  • ACCOUNTID::nameinnamespace#String,
  • ACCOUNTID::entrydn#String,                         [ The original setting we had ]

The RECONCILIATION_FIELD is unique - It's the unique RedHat entryUUID

Any other suggestions?

Thanks, Tessa

SumathiSomala
Regular Contributor III
Regular Contributor III

@tpolin 

Keep below ACCOUNTID mapping in ACCOUNT_ATTRIBUTE and use below groupimport mapping JSON
Run the Account import job first and then run the Access(entitlement) import job.

ACCOUNTID::nameinnamespace#String,


{
"entitlementTypeName":"memberOf",
"performGroupAccountLinking": "true",
"importGroupHierarchy": "true",
"incrementalTimeField": "",
"groupObjectClass": "(objectClass=groupOfUniqueNames)",
"groupAccountMappingAttributeName":"uniqueMember",
"mapping": "customProperty1:owner_char,memberHash:uniqueMember_char,customProperty3:entrydn_char,createdate:createTimestamp_date,customProperty4:creatorsName_char,description:description_char,entitlement_glossary:description_char,displayName:cn_char,customProperty5:objectClass_char,customProperty6:entryuuid_char,entitlement_value:nameinnamespace_char,updatedate:modifyTimestamp_date,RECONCILATION_FIELD:entitlement_value"
}

If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
Regards,
Sumathi Somala

I made the 2 mapping changes you requested, and ran the 2 jobs in the given order (Import Type=Accounts, then Import Type=Access), but it still failed to list the members in the Accounts tab.

  1. Is there anything I can search for in the logs to help identify why the accounts are not returned?
  2. We know that Saviynt can locate the uniqueMember rows since I can return them in a customProperty attributes as a CSV list when I specifically map them, so it's probably not a sequence of jobs issue.  Wondering if there is any portion of the code that is assuming the "member" attribute name as opposed to the custom label "uniqueMember"?  That's the real difference with our AD connector that works and returns Accounts properly.

Thanks!