Saviynt Forums

Hi

Thanks for your email. i found an existing idea on this topic so voted for it https://ideas.saviynt.com/ideas/EIC-I-4520.

Another question i have is, whats the behavior of Saviynt for such data where entitlement_value is more than 255 characters? will it truncate (take a substring) and dump it or skip that particular entitlement and process remaining ones?

Regards

Gaurav

Hi @GauravJain,

Regarding your question about the behavior of Saviynt when the entitlement_value is more than 255 characters, I found a forum post:-https://forums.saviynt.com/t5/identity-governance/importaccessfull-persistobjects-data-truncation-da...

Please validate and let me know if further details are needed on this.

Hi @DixshantValecha Thanks for your revert. In the given forum post, error message is same but I don't think its related to my issue.

As explained, in my case the entitlement_value itself contains more than 255 characters for one entitlement value which i think cant be stored in any other custom property because its request-able and must be present on form for user to choose.

Please correct me if my understanding is incorrect.

Also, please confirm Saviynt's behavior of data dump - it seems Saviynt is not able to dump remaining entitlement values if it finds an entitlement value having more than 255 characters and the whole import process fails. For example, if there are 100 entitlements and Saviynt finds 55th entitlement having more than 255 characters then Saviynt will dump only 54 entitlements and rest will be ignored.

Regards

Gaurav

Import will fail if values exceeded 255 characters/ column size in saviynt 

Hi @rushikeshvartak Yes it is failing but the question is about the failure pattern. will the import job skip that particular entitlement (having more than 255 characters) and process remaining ones or it will fail completely?

Hi,

You can use CP1 to CP5 (long text) for your requirement.

You can refer the below mentiond document as well:-

https://docs.saviyntcloud.com/bundle/SSM-DB-Schema-Reference-v55x/page/Content/Identity-Repository-S...

Hi @DixshantValecha Thanks for your revert.

Yes, i am going to try this but i have following questions:

1) If i don't populate anything in "entitlement_value" column (as part of import) then how the access request creation and provisioning will work? i guess entitlement type will be there but no entitlement values in endpoint.

2) how do i make these entitlements request-able if populated in CP1. if i need to use dynamic attributes for this then how provisioning will work. Do you see any issue with this approach?

3) If i choose to map LDAP attribute "CN" in "entitlement_value" then it will be available on request creation page as well but not sure if provisioning will work because provisioning requires complete DN of LDAP group.

4) Is it possible to truncate entitlement (like taking a substring where its more than 255 characters) and dump in "entitlement_value"? though this will not help in requesting/provisioning but just wanted to know its feasibility?

Regards

Gaurav

Hi @DixshantValecha i have tried the suggestion and following are my findings:

1) Full Account Import job - It pulls all the accounts as per the SEARCHFILTER & OBJECTFILTER configuration in LDAP connector. With accounts, it also pulls entitlements (“ismemberof” attribute in LDAP as configured in connector) associated with those accounts and these entitlements are dumped into “ENTITLEMENT_VALUE” column by default by Saviynt. There is no configuration to change this. Also, accounts import job doesn’t consider the entitlement mapping defined in “groupImportMapping” in LDAP connector.

So, I think the below given suggestion will actually not work. Please let me know in case I am missing something here. 

2) Full Access Import job - If we try to map "entitlement_value" with "cn" (LDAP attribute - which is a shorter name for LDAP groups) in "groupImportMapping" then following things will break

• Group account linking
• Existing access in ARS will not show
• Entitlements will not be present in ARS because of conflict in data dumping between import accounts (dumps "namespace" by default in entitlement value) and access jobs (configured "cn" for entitlement value). So, request creation is not possible.
• Provisioning - Not applicable as request creation is not possible.

Please let me know if you have any further questions. Also, it would be good if you can confirm its  feasibility as what we are trying to achieve here is actually feasible in Saviynt or not?

3) Another question is, Does LDAP connector supports incremental access import? i guess the answer is no but i need confirmation from Saviynt as the documentation is little confusing. Full import is supported and i have tested it but incremental is just not working.

Introduction (saviyntcloud.com)

Regards

Gaurav

Hi - Any updates on this please?