Click HERE to see how Saviynt Intelligence is transforming the industry. |
10/10/2023 05:19 AM
Hi
While importing groups data from LDAP connector we are getting this error after executing Account import job
Error Adding Entitlements ismemberof | Data truncation: Data too long for column 'ENTITLEMENT_VALUE' at row 1 |
which means ENTITLEMENT_VALUE can not store more than 255 characters. But in some cases entitlements (group dn) length is more than 255 characters. So, Is there any workaround to manage such LDAP groups in Saviynt?
Regards
Gaurav
10/12/2023 03:23 AM
Hi @GauravJain,
Thank you for reaching out to the Saviynt forums. We are currently investigating your inquiry and will provide you with updates as soon as possible.
10/12/2023 04:00 AM
Hi @GauravJain,
As system modifications are not supported and workarounds aren't viable, I recommend raising an enhancement ticket with Saviynt to address the issue of LDAP group Distinguished Names exceeding 255 characters. For enhancement requests, please raise it in the ideas portal: https://ideas.saviynt.com/
10/30/2023 04:54 AM
Hi
Thanks for your email. i found an existing idea on this topic so voted for it https://ideas.saviynt.com/ideas/EIC-I-4520.
Another question i have is, whats the behavior of Saviynt for such data where entitlement_value is more than 255 characters? will it truncate (take a substring) and dump it or skip that particular entitlement and process remaining ones?
Regards
Gaurav
11/09/2023 03:28 AM
Hi @GauravJain,
Regarding your question about the behavior of Saviynt when the entitlement_value is more than 255 characters, I found a forum post:-https://forums.saviynt.com/t5/identity-governance/importaccessfull-persistobjects-data-truncation-da...
Please validate and let me know if further details are needed on this.
11/09/2023 07:12 AM
Hi @DixshantValecha Thanks for your revert. In the given forum post, error message is same but I don't think its related to my issue.
As explained, in my case the entitlement_value itself contains more than 255 characters for one entitlement value which i think cant be stored in any other custom property because its request-able and must be present on form for user to choose.
Please correct me if my understanding is incorrect.
Also, please confirm Saviynt's behavior of data dump - it seems Saviynt is not able to dump remaining entitlement values if it finds an entitlement value having more than 255 characters and the whole import process fails. For example, if there are 100 entitlements and Saviynt finds 55th entitlement having more than 255 characters then Saviynt will dump only 54 entitlements and rest will be ignored.
Regards
Gaurav
11/19/2023 09:56 PM
Import will fail if values exceeded 255 characters/ column size in saviynt
11/19/2023 10:43 PM
Hi @rushikeshvartak Yes it is failing but the question is about the failure pattern. will the import job skip that particular entitlement (having more than 255 characters) and process remaining ones or it will fail completely?
12/03/2023 11:33 PM
Hi,
You can use CP1 to CP5 (long text) for your requirement.
You can refer the below mentiond document as well:-
12/04/2023 03:51 AM
Hi @DixshantValecha Thanks for your revert.
Yes, i am going to try this but i have following questions:
1) If i don't populate anything in "entitlement_value" column (as part of import) then how the access request creation and provisioning will work? i guess entitlement type will be there but no entitlement values in endpoint.
2) how do i make these entitlements request-able if populated in CP1. if i need to use dynamic attributes for this then how provisioning will work. Do you see any issue with this approach?
3) If i choose to map LDAP attribute "CN" in "entitlement_value" then it will be available on request creation page as well but not sure if provisioning will work because provisioning requires complete DN of LDAP group.
4) Is it possible to truncate entitlement (like taking a substring where its more than 255 characters) and dump in "entitlement_value"? though this will not help in requesting/provisioning but just wanted to know its feasibility?
Regards
Gaurav
12/06/2023 02:26 AM
Hi @DixshantValecha i have tried the suggestion and following are my findings:
1) Full Account Import job - It pulls all the accounts as per the SEARCHFILTER & OBJECTFILTER configuration in LDAP connector. With accounts, it also pulls entitlements (“ismemberof” attribute in LDAP as configured in connector) associated with those accounts and these entitlements are dumped into “ENTITLEMENT_VALUE” column by default by Saviynt. There is no configuration to change this. Also, accounts import job doesn’t consider the entitlement mapping defined in “groupImportMapping” in LDAP connector.
So, I think the below given suggestion will actually not work. Please let me know in case I am missing something here.
2) Full Access Import job - If we try to map "entitlement_value" with "cn" (LDAP attribute - which is a shorter name for LDAP groups) in "groupImportMapping" then following things will break
Please let me know if you have any further questions. Also, it would be good if you can confirm its feasibility as what we are trying to achieve here is actually feasible in Saviynt or not?
3) Another question is, Does LDAP connector supports incremental access import? i guess the answer is no but i need confirmation from Saviynt as the documentation is little confusing. Full import is supported and i have tested it but incremental is just not working.
Introduction (saviyntcloud.com)
Regards
Gaurav
11/02/2023 04:49 AM
Hi @GauravJain,
Thank you for reaching out to the Saviynt forums. We appreciate your inquiry and would like to inform you that our team is currently reviewing your request. Rest assured, we will diligently assess your query and provide you with updates as soon as they become available. Your patience is greatly appreciated.
11/19/2023 09:10 PM
Hi - Any updates on this please?
11/20/2023 04:06 AM - edited 11/20/2023 04:08 AM
Hi @GauravJain,
I will conduct an internal follow-up on this matter and ensure that you receive timely updates. Your understanding and patience during this process are greatly appreciated. If there are any developments or additional information required, I will promptly communicate the updates to keep you informed.