Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

mapping entitlements from LDAP did not work

Go to solution
Roua
Regular Contributor III
Regular Contributor III

‎08/06/2024 08:15 AM

We are currently facing an issue with mapping entitlements from LDAP.
Our target system has two cases for entitlements:

Entitlements with: ou=idmsync
Entitlements with: ou=users
When we used OU=users,O=example in the BASE field of the LDAP connector, the connection to accounts and data consistently failed.

To troubleshoot, we applied the following approach by assigning an object filter to specific accounts to narrow down the testing:

 

(&(objectClass=Person)(|(uid=example123)(uid=example345)(uid=example765)))

 


We also specified the entitlement by setting the field groupSearchBaseDN to:

 

gid=example,ou=xx,ou=groups,o=zz

 


With this configuration, these accounts were successfully assigned to the entitlement.
However, the mapping of the entitlement attributes did not work. More importantly, I have a question regarding the handling of account statuses in Saviynt:

When an account status is not set to 0 or 1 in LDAP (target system), it seems that Saviynt either deactivates these accounts immediately or does not map them at all. How are such cases handled in Saviynt?

Additionally, any suggestions on dealing with ou=idmsync and ou=users? Should I leave the BASE as O=example without adding the OU?

Thank you in advance for your assistance.

Labels:
0 Kudos
10 REPLIES 10

Go to solution
rushikeshvartak
All-Star
All-Star

‎08/06/2024 10:17 AM

  • Share logs
  • for status use status threshold configs 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Roua
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎08/07/2024 02:08 AM

Hello @rushikeshvartak ,

the issue with mapping the entitlement attributes was resolved, but the issue with account still there:
here is my STATUS_THRESHOLD_CONFIG:

{
"statusAndThresholdConfig": {
"statusColumn": "customproperty32",
"activeStatus": ["1", "TRUE"],
"inactiveStatus": ["0", "FALSE"],
"deleteLinks": false,
"accountThresholdValue": 5000,
"correlateInactiveAccounts": true,
"inactivateAccountsNotInFile": false
}
}
0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Roua

‎08/07/2024 05:03 AM

Are you brining status to cp32?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Roua
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎08/07/2024 06:10 AM

from what i just found out, my colleague already mapped it to the following: 
in ACCOUNT_ATTRIBUTE:
STATUS::activeEntry#String,
and
CUSTOMPROPERTY12::HCMStatus#String,

cp32 is mapped to:
CUSTOMPROPERTY32::activeEntry#String,

0 Kudos

Go to solution
NM
Esteemed Contributor
Esteemed Contributor

‎08/07/2024 03:08 AM

Hi @Roua , ideally each and every account should be having a status whether inactive or active.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'
0 Kudos

Go to solution
Roua
Regular Contributor III
Regular Contributor III
In response to NM

‎08/07/2024 06:11 AM

Hi,
when i checked in the target system data i found some that has no status assigned

0 Kudos

Go to solution
Roua
Regular Contributor III
Regular Contributor III

‎08/07/2024 06:13 AM

mapping the entitlement attributes didn't work again when i tried to make full import "not focused on a specific group"
with the following logs: 

Roua_0-1723036359501.pngRoua_1-1723036399506.png

 

 



please if you have an idea let me know!

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Roua

‎08/07/2024 06:31 PM

fix missing status in target and try


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Go to solution
Roua
Regular Contributor III
Regular Contributor III
In response to rushikeshvartak

‎08/09/2024 06:16 AM

okay thank you! but what about the fact that the entitlement attribute is not actually mapped when i run it ? (status is there).
i tried to wun it for one, it worked then i tried to run it for the all entitlements under user it didn't work.
so we tried to run it again for only one test entitlement still didn't work.. 

what could be the issue? 
the groupmapping i am using is the following: 

{
  "entitlementTypeName": "isMemberOf",
  "groupAccountMappingAttributeName": "member",
  "performGroupAccountLinking": "true",
  "incrementalTimeField": "modifytimestamp",
  "groupObjectClass": "((&(gid=xxxxxxx)(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames)))",

  "mapping": "entitlement_value:entryDN_char,entitlementid:entryUUID_char,entitlement_glossary:description_char,displayName:cn_char,description:description_char,customProperty1:creatorsName_char,customProperty2:entryUUID_char,customProperty3:entryUUID_char,customProperty4:cn_char,customProperty5:entryDN_char,RECONCILATION_FIELD:entitlementid",
  "tableFieldAttribute": "accountID",
  "entitlementOwnerAttribute": "owner"
}

 

0 Kudos

Go to solution
rushikeshvartak
All-Star
All-Star
In response to Roua

‎08/09/2024 06:20 AM

Samples

groupImportMapping

{
"entitlementTypeName": "isMemberOf",
"performGroupAccountLinking": "true",
"importnestedmembershipoutofscope": "true",
"incrementalTimeField": "modifyTimestamp",
"groupObjectClass": "(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))",
"importGroupHierarchy": "true",
"mapping": "memberHash:uniquemember_char,displayName:displayName_char,entitlement_value:entryDN_char,customproperty1:cn_char,description:cn_char,customproperty2:entryUUID_char,lastscandate:modifyTimestamp_customDate--yyyyMMddHHmmss,updatedate:modifyTimestamp_customDate--yyyyMMddHHmmss,createdate:createTimestamp_customDate--yyyyMMddHHmmss,description:description_char,entitlement_glossary:description_char,RECONCILATION_FIELD:entitlement_value",
"tableFieldAttribute": "accountID",
"entitlementOwnerAttribute": "owner"
}

 

ACCOUNT_ATTRIBUTE

[ACCOUNTID::entryDN#String,NAME::cn#String, DISPLAYNAME::displayName#String, CUSTOMPROPERTY1::employeeNumber#String, CUSTOMPROPERTY2::givenName#String, CUSTOMPROPERTY3::sn#String, CUSTOMPROPERTY4::mobile#String, CUSTOMPROPERTY5::mail#String, CUSTOMPROPERTY6::employeeType#String,CUSTOMPROPERTY7::c#String,CUSTOMPROPERTY8::uid#String,CUSTOMPROPERTY9::entryUUID#String, CUSTOMPROPERTY10::ou#String,
customproperty13::title#String,customproperty15::middleName#String, customproperty16::telephoneNumber#String, customproperty17::personalTitle#String, customproperty18::physicalDeliveryOfficeName#String,
customproperty40::fullWinLogin#String,
customproperty25::departmentNumber#String,customproperty26::personalTitle2#String, customproperty29::title2#String,customproperty31::objectCategory#String,customproperty32::activeEntry#String,customproperty34::st#String,status::activeEntry#String, RECONCILATION_FIELD::CUSTOMPROPERTY9]


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
Copyright © 2024 Khoros, LLC