Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

mapping of managedBy to entitlement owner != OOB certifier

Kerasit
New Contributor III
New Contributor III

‎11/04/2022 03:11 AM

Hi.

When using the AD connector groupImport key value pair: 

customproperty2:managedBy_char",
"entitlementOwnerAttribute":"managedBy","tableFieldAttribute":"accountID"

  1. I would expect it to set the Owner property of the entitlement=the Identity correlated to the account DN in managedBy AD attribute.
  2. I would expect then that executing entitlement owner certification campaign - without customization - would correctly then generate certifier tasks for each and everyone who is entitlement owner.

I do not see the owner property being set.

I do not get certifiers=those entitlement owners set in Owner (I manually configured a few as Rank 1, as Rank 1 is the rank they are set with using above documented setting). To make the entitlement owner certification work without the need for making a customized certification campaign, it needs to be an Owner of rank "Primary certifier" (or rank 26 in nummeric).

This is somewhat stupid, and I think we are either doing something wrong, or there is an unknown extra key value pair, not documented, for setting the rank during import aswell.

Labels:
0 Kudos
9 REPLIES 9

rushikeshvartak
All-Star
All-Star

‎11/07/2022 06:28 PM

You need to use saviynt 4 saviynt to map owners. use table account_entitlements_privilege with attribute_value as Owner

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Kerasit
New Contributor III
New Contributor III
In response to rushikeshvartak

‎11/07/2022 11:19 PM

THat makes sense as a solution to my goal, however I am interested in the Out of the box solution for this, now that the out of the box mapping of ownership exists.

There is:

  1. An OOB feature for importing entitlement ownership from AD and assigning ownership to Identities.
  2. An OOB Entitlement Owner certification type for creating certification campaigns.

If those two above is NOT able to be used together without the need for a customized Sav2Sav DB connector, then why even bother having the OOB mapping feature to entitlement owner? After all the entitlement owner is NOT the target of Certifier in the "Entitlement Owner Certification". Either the logic is wrongly implemented, or the certification type (Entitlement Owner) is wrongly named and the koncept not really working. Which of the OOB features are faulty? The Import of entitlement owners or the Entitlement Owner certification Type?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Kerasit

‎11/08/2022 11:46 AM

This is known defect of saviynt. Please raise saviynt ticket to get working in your environment 🙂


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Kerasit
New Contributor III
New Contributor III
In response to rushikeshvartak

‎11/10/2022 12:34 AM

I did, and was asked to bring it as a question for forum. Saviynt does not acknowledge this a defect in support tickets, so I am now asking again. How to fix this?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Kerasit

‎11/10/2022 11:42 PM

Use saviynt entitlement owner import and write internal saviynt database query to fetch owner from account entitlement privileges table and run after ad import job. I am using this workaround and working as expected 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Kerasit
New Contributor III
New Contributor III
In response to rushikeshvartak

‎11/11/2022 12:03 AM

Thank you. Got any example? I am new to Saviynt, but enough of a nerd that I can get things working, if I have something to work with.

0 Kudos

Mike_Kirby
Saviynt Employee
Saviynt Employee
In response to rushikeshvartak

‎11/15/2022 07:11 AM

Hi Rushikeshvartak,

Can you please share the defect number please to allow me to check and validate.

Thanks, Mike

Mike Kirby
EMEA Technical Account Manager

rushikeshvartak
All-Star
All-Star
In response to Mike_Kirby

‎11/17/2022 08:51 PM

https://saviynt.freshdesk.com/support/tickets/1561753


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

Kerasit
New Contributor III
New Contributor III

‎11/14/2022 01:04 AM

Using CSV bulk file upload for doing this, shows interesting results.

  1. To many records and the service dies. It litterally times in the GUI and I recieves an error 503. Reloading the page, and it seems all is good. However the upload has completely failed, and no records has been updated (no entitlements updated). Doing this in chunks works.
  2. Not all Entitlements where correctly updated, but making a rather complex Powershell script to make a csv file with only the discrepencies, worked.
  3. Uploading a new CSV file with only a "few" entitlements pointing to a new Primary Certifier, does not change Primary Certifier, but instead adds a new so there is now two.

The only good and solid way I have found to re-assign ownership of entitlements are through a certification campaign as the CSV method is not working as expected. How can I REMOVE an entitlement owner through a CSV bulk file?

I have tried making a rule in the product which could do this, however no rules can trigger on Entitlement updates with an action to change attribute values. On top of that I cannot find the correct entitlements through the out of the box policy "Entitlement Update Rule". In fact I have found no way to use that type of policy for setting up rules for entitlements which makes sense......

0 Kudos
Copyright © 2024 Khoros, LLC