Saviynt Forums

Robbe_Cronos · ‎04/24/2023

Hello,

We have managed to import both accounts and entitlements using our OpenLDAP connector. However, when we look at the entitlements/accounts, no GroupAccountLinking has happened, even though this value is set to true in the groupImportMapping. We don't have any hierarchy in the groups so this is set to false. Is there anything we are missing to link the accounts to the groups?

{
"importGroupHierarchy": "false",
"entitlementTypeName": "",
"performGroupAccountLinking": "true",
"groupObjectClass": "(objectclass=groupOfNames)",
"mapping": "memberHash:member_char,customproperty12:entrydn_char,customproperty13:cn_char,entitlement_glossary:description_char,description:description_char,displayname:cn_char,entitlement_value:entrydn_char,entitlementid:entrydn_char,customproperty14:objectClass_char,RECONCILATION_FIELD:customproperty12"
}

sudeshjaiswal · ‎04/24/2023

Hello @Robbe_Cronos,

The cause of this issue could be that in the LDAP application, the "member" attribute value of the group schema contains the distinguishedName (DN) of the account, but the ACCOUNTID is not mapped with the account DN in the ACCOUNT_ATTRIBUTE parameter.

To resolve this issue, map the ACCOUNTID attribute with the distinguishedName of the account (as specified in the LDAP application). This will ensure that the ACCOUNTID matches with member attribute values in the target application. For example, you can use the mapping ACCOUNTID::entryDN#String.

Ref:- https://docs.saviyntcloud.com/bundle/LDAP-v23x/page/Content/Troubleshooting.htm

Robbe_Cronos · ‎04/24/2023

Thank you for the reply.

I should have maybe mentioned this, but we have already mapped the accountID to the entryDN. We can see in the accounts that this is correctly mapped.

We have also checked if the member attribute of the groups and entryDN of the accounts matches.

dgandhi · ‎04/24/2023

Have you tried Entitlement import first and then the Account Import?

Also can you share the account import JSON.

Thanks

Thanks,
Devang Gandhi
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

Robbe_Cronos · ‎04/25/2023

Yes, we have tried this. Still nothing.

Here is the ImportAccountJSON:

sudeshjaiswal · ‎04/25/2023

Hello @Robbe_Cronos,

Can you please confirm if the RECONCILATION_FIELD is a unique property for an account, and ensure that it is always mapped to objectGUID?
And below document contains different group import mapping, You may find a sample that will be relevant to your need. You may modify and try.

For Ref:- https://docs.saviyntcloud.com/bundle/AD-v231/page/Content/Configuring-the-Integration-for-Importing-...

Thanks,

Robbe_Cronos · ‎04/26/2023

We have mapped customproperty12 to the attribute entryUUID, which is a unique identifier for an account which never changes. We then set the RECONCILATION_FIELD to customproperty12.

We started both the account and access import, but nothing was linked. We didn't find any mapping in the documentation which could help us with our linking.

We also have another small question: What does the "memberHash:member_char" do in the group import mapping? We can't find any documentation on this.

sudeshjaiswal · ‎05/03/2023

Hello @Robbe_Cronos,

1. Would you mind attempting to map the RECONCILIATION_FIELD, which is an exclusive attribute of an account, to objectGUID?

2. The mapping between AD attributes and Saviynt Attribute can be accomplished by using memberHash as the key and member_char as the value.

For Ref: https://docs.saviyntcloud.com/bundle/AD-v231/page/Content/Configuring-the-Integration-for-Importing-...

Thanks

Robbe_Cronos · ‎05/04/2023

1. I have just tried mapping the RECONCILATION_FIELD to the objectGUID, this did not do anything. Accounts are still not correlated with entitlements.

2. Okay, thank you.

Robbe_Cronos · ‎05/05/2023

I should mention again that we are using OpenLDAP for this connection, not Active Directory.

Also, we have found an attribute which we haven't yet used, but we don't know exactly what it does seeing as the documentation does not mention it. Can someone explain what the "GroupAccountMappingAttributeName" attribute is used for?

We really need help with this, as our ticket for it referred us back to the forums.

sudeshjaiswal · ‎06/11/2023

Hello @Robbe_Cronos,

Could you please share the groupimportmapping json.

Thanks

Robbe_Cronos · ‎06/12/2023

Hello,

here is the full groupImportMapping:

{
    "importGroupHierarchy": "false",
    "entitlementTypeName": "member",
    "performGroupAccountLinking": "true",
    "groupAccountMappingAttributeName":"member",
    "groupObjectClass": "(objectclass=groupOfNames)",
    "advanceGroupFilter": {
          "member":{
                "OU=GAPPS,O=UHASSELT,C=BE": [
                     "(&(objectClass=groupOfNames))"
                 ],
                "OU=OUSTUD,O=UHASSELT,C=BE": [
                     "(&(objectClass=groupOfNames))"
                 ]}},
    "mapping": "memberHash:member_char,customproperty12:entrydn_char,customproperty13:cn_char,entitlement_glossary:description_char,description:description_char,displayname:cn_char,entitlement_value:entrydn_char,entitlementid:entrydn_char,customproperty14:objectClass_char,RECONCILATION_FIELD:customproperty12"
}

sudeshjaiswal · ‎06/14/2023

Hello @Robbe_Cronos,

We are checking on it internally and we will keep you posted.

Thanks.

Saviynt Forums

performGroupAccountLinking not working