Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

mapping entitlements from LDAP did not work

Roua
Regular Contributor III
Regular Contributor III

We are currently facing an issue with mapping entitlements from LDAP.
Our target system has two cases for entitlements:

Entitlements with: ou=idmsync
Entitlements with: ou=users
When we used OU=users,O=example in the BASE field of the LDAP connector, the connection to accounts and data consistently failed.

To troubleshoot, we applied the following approach by assigning an object filter to specific accounts to narrow down the testing:

 

(&(objectClass=Person)(|(uid=example123)(uid=example345)(uid=example765)))

 


We also specified the entitlement by setting the field groupSearchBaseDN to:

 

gid=example,ou=xx,ou=groups,o=zz

 


With this configuration, these accounts were successfully assigned to the entitlement.
However, the mapping of the entitlement attributes did not work. More importantly, I have a question regarding the handling of account statuses in Saviynt:

When an account status is not set to 0 or 1 in LDAP (target system), it seems that Saviynt either deactivates these accounts immediately or does not map them at all. How are such cases handled in Saviynt?

Additionally, any suggestions on dealing with ou=idmsync and ou=users? Should I leave the BASE as O=example without adding the OU?

Thank you in advance for your assistance.

10 REPLIES 10

rushikeshvartak
All-Star
All-Star
  • Share logs
  • for status use status threshold configs 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor III
Regular Contributor III

Hello @rushikeshvartak ,

the issue with mapping the entitlement attributes was resolved, but the issue with account still there:
here is my STATUS_THRESHOLD_CONFIG:

{
"statusAndThresholdConfig": {
"statusColumn": "customproperty32",
"activeStatus": ["1", "TRUE"],
"inactiveStatus": ["0", "FALSE"],
"deleteLinks": false,
"accountThresholdValue": 5000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}

Are you brining status to cp32?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor III
Regular Contributor III

from what i just found out, my colleague already mapped it to the following: 
in ACCOUNT_ATTRIBUTE:
STATUS::activeEntry#String,
and
CUSTOMPROPERTY12::HCMStatus#String,

cp32 is mapped to:
CUSTOMPROPERTY32::activeEntry#String,

NM
Esteemed Contributor
Esteemed Contributor

Hi @Roua , ideally each and every account should be having a status whether inactive or active.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

Roua
Regular Contributor III
Regular Contributor III

Hi,
when i checked in the target system data i found some that has no status assigned

Roua
Regular Contributor III
Regular Contributor III

mapping the entitlement attributes didn't work again when i tried to make full import "not focused on a specific group"
with the following logs: 

Roua_0-1723036359501.pngRoua_1-1723036399506.png

 

 



please if you have an idea let me know!

fix missing status in target and try


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor III
Regular Contributor III

okay thank you! but what about the fact that the entitlement attribute is not actually mapped when i run it ? (status is there).
i tried to wun it for one, it worked then i tried to run it for the all entitlements under user it didn't work.
so we tried to run it again for only one test entitlement still didn't work.. 

what could be the issue? 
the groupmapping i am using is the following: 

{
  "entitlementTypeName": "isMemberOf",
  "groupAccountMappingAttributeName": "member",
  "performGroupAccountLinking": "true",
  "incrementalTimeField": "modifytimestamp",
  "groupObjectClass": "((&(gid=xxxxxxx)(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames)))",

  "mapping": "entitlement_value:entryDN_char,entitlementid:entryUUID_char,entitlement_glossary:description_char,displayName:cn_char,description:description_char,customProperty1:creatorsName_char,customProperty2:entryUUID_char,customProperty3:entryUUID_char,customProperty4:cn_char,customProperty5:entryDN_char,RECONCILATION_FIELD:entitlementid",
  "tableFieldAttribute": "accountID",
  "entitlementOwnerAttribute": "owner"
}

 

Samples

groupImportMapping

{
"entitlementTypeName": "isMemberOf",
"performGroupAccountLinking": "true",
"importnestedmembershipoutofscope": "true",
"incrementalTimeField": "modifyTimestamp",
"groupObjectClass": "(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))",
"importGroupHierarchy": "true",
"mapping": "memberHash:uniquemember_char,displayName:displayName_char,entitlement_value:entryDN_char,customproperty1:cn_char,description:cn_char,customproperty2:entryUUID_char,lastscandate:modifyTimestamp_customDate--yyyyMMddHHmmss,updatedate:modifyTimestamp_customDate--yyyyMMddHHmmss,createdate:createTimestamp_customDate--yyyyMMddHHmmss,description:description_char,entitlement_glossary:description_char,RECONCILATION_FIELD:entitlement_value",
"tableFieldAttribute": "accountID",
"entitlementOwnerAttribute": "owner"
}

 

ACCOUNT_ATTRIBUTE

[ACCOUNTID::entryDN#String,NAME::cn#String, DISPLAYNAME::displayName#String, CUSTOMPROPERTY1::employeeNumber#String, CUSTOMPROPERTY2::givenName#String, CUSTOMPROPERTY3::sn#String, CUSTOMPROPERTY4::mobile#String, CUSTOMPROPERTY5::mail#String, CUSTOMPROPERTY6::employeeType#String,CUSTOMPROPERTY7::c#String,CUSTOMPROPERTY8::uid#String,CUSTOMPROPERTY9::entryUUID#String, CUSTOMPROPERTY10::ou#String,
customproperty13::title#String,customproperty15::middleName#String, customproperty16::telephoneNumber#String, customproperty17::personalTitle#String, customproperty18::physicalDeliveryOfficeName#String,
customproperty40::fullWinLogin#String,
customproperty25::departmentNumber#String,customproperty26::personalTitle2#String, customproperty29::title2#String,customproperty31::objectCategory#String,customproperty32::activeEntry#String,customproperty34::st#String,status::activeEntry#String, RECONCILATION_FIELD::CUSTOMPROPERTY9]


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.