Click HERE to see how Saviynt Intelligence is transforming the industry. |
03/13/2024 10:26 PM
Hi Guys,
While setting up user import from LDAP in Saviynt stage environment, i found RECONCILIATION FIELD mapping at two different places. so wanted to understand how they are linked and what happens if we ignore config at one place?
First place is - inside LDAP connector, we have to map RECONCILATION_FIELD under USER_ATTRIBUTE. i am using this ldap attribute "entryUUID" here.
Second place is - inside Job Control Panel, when we create a trigger for user import we should select a field in "Reconciliation Field" dropdown ( which by default uses "username") but i am not selecting any value and going with default value.
So how this configuration will behave and what would be the impact on user data, if any?
Regards
Gaurav
Solved! Go to Solution.
03/13/2024 10:34 PM
LDAP Connector Configuration:
Job Control Panel Configuration:
03/13/2024 11:37 PM
thanks @rushikeshvartak . So, does that mean we should have same field configured at both the places? and if that's not done then Saviynt will create duplicate records for same user?
second thought is, Connector configuration is used to reconcile data with Users table in Saviynt and job configuration is used to reconcile data with some temp table or cache? if that's the case then Saviynt will not create duplicate entries in users table, is it correct understanding?
third, i have configured customproperty37=entryUUID in connector so can i use "customproperty37" in job configuration?
03/14/2024 09:48 PM
ideally username is considered as primary attribute for recon
03/17/2024 09:22 PM
Thanks @rushikeshvartak. not sure why documentation is referring to other attribute like "objectGUID / entryUUID" Understanding the Integration Between EIC and LDAP Interfaces (saviyntcloud.com)
now that i have already imported data using "entryUUID", changing this to "username" will create duplicate records so is there any way we can delete existing user data and try fresh?
03/17/2024 09:57 PM
You can't delete any users data
03/17/2024 10:02 PM
Do you mean no one can do this? or support team can help us do this?
if that's the case then Saviynt documentation has to be perfect by including all such important pointers.
if above is not feasible, can we mark all the existing users as Inactive in bulk?
Regards
Gaurav
03/18/2024 03:20 AM
Hi @rushikeshvartak can you please confirm on my query?
03/18/2024 06:41 AM
Using import sheet you can mark users inactive in bulk . Support team also will not be able to delete users
03/19/2024 08:21 PM
thanks @rushikeshvartak for the suggestion. i gave it a try and it worked when i did it just for one user.
later, i increased count of users in csv file to ~2600 and on UI i got this error "504 Bad Gateway" but actually the records were processed by Saviynt in backend.
So, is there any limitation to this functionality? why UI showing 504 error for such a small count of user update?
03/19/2024 08:34 PM
5 minutes is ideal timeout but records get processed in background
03/19/2024 10:58 PM
Ok. i could see Http session timeout in Global config which is 30 minutes but didnt find anything related to 5 mins timeout. where i can find this config?
One more question - after our discussion i changed the recon mapping in USER_ATTRIBUTES to "RECONCILATION_FIELD::username" (earlier it was RECONCILATION_FIELD::CUSTOMPROPERTY37 where CUSTOMPROPERTY37::entryUUID#String). Few minutes back i executed the LDAP full user import job but it didn't create duplicate records. I am not able to understand this behavior. Please help.
03/26/2024 05:49 AM - last edited on 03/26/2024 07:33 AM by Sunil
Hi @rushikeshvartak can you please through some light on above queries?
another query is - we are using one of ldap attribute to identify user status and that attributes value is either 0 or 1. but for many users that attribute doesn't exist (which also means that those are disabled users in LDAP) in ldap and such users show hyphen ("-") in Status column in Saviynt. Is there a way we can mark such users as Inactive?
Regards
Gaurav
[This post has been edited by a Moderator. We discourage the @ mention of other forum users or employees unless they have already involved themselves on the forum post.]
03/26/2024 05:53 AM
Use STATUSKEYJSON
03/26/2024 05:59 AM
Hi @rushikeshvartak i was using it earlier but i am not sure how to catch such users status. i have tried to define all possible values but still it shows hyphen in status.
STATUSKEYJSON =
{
"STATUS_ACTIVE": [
"1",
],
"STATUS_INACTIVE": [
"0",
"INACTIVE",
"false",
"",
"null"
]
}
03/26/2024 08:50 PM
what db valule of statuskey
select distinct statuskey from users
03/27/2024 01:45 AM
03/27/2024 08:52 PM
Did you tried using #CONST in import json
03/27/2024 10:16 PM
Do you mean inside USER_ATTRIBUTE config? Can you please share an example how and where i can use #CONST in import user json to achieve my use case? neither i see any such example in documentation nor it says we can use any expressions in USER_ATTRIBUTE.
Regards
Gaurav
03/28/2024 07:17 AM
ignore its not supported in LDAP
03/29/2024 04:53 AM
1) But its clearly mentioned in LDAP connector documentation Understanding the Integration Between EIC and LDAP Interfaces (saviyntcloud.com). How do one know if its not supported?
2) Need your help on this - If we have enabled SSO for Saviynt login and all the existing users becomes "inactive" by mistake then whats the workaround to login and update user status?
03/29/2024 10:05 AM
#1 Provide feedback on documentation
#2 Raise support ticket / reach out csm for account
05/24/2024 03:35 AM
@GauravJain
We have verified and the STATUSKEYJSON configuration is supported for the LDAP connector. The LDAP connector documentation does not need an update.
05/24/2024 04:14 AM
Hi @JayashreeL its not supported for user import. may be its only applicable for Accounts import. please double check this and confirm.