Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

saviynt for saviynt reconciliation

Jillustre
New Contributor III
New Contributor III

In out saviyntforsaviynt connection, in AccountImport, there is no userReconcillationField. We have one in USERIMPORT, set on username. Tried to change it for employeeId with no success.

We want that change because right now someone can have an email change and it create a new account instead of reconciliating it with employeeId when we execute SaviyntForSaviyntAccountsFullImportJobTrigger

The change need to be in USERIMPORT or ACCOUNTIMPORT?

thanks

 

11 REPLIES 11

rushikeshvartak
All-Star
All-Star

You can change in accountsImport

https://saviynt.freshdesk.com/support/solutions/articles/43000617705-database-connector-guide#Databa... 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

We have this for AccountImport. What need to be change?

<dataMapping>
    <before-import>

    </before-import>
    <sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="name" >
        <![CDATA[    select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Role' as attribute,r.ROLE_NAME  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from users u, roles r, role_owners rw where u.userkey=rw.USERKEY and r.ROLEKEY=rw.ROLEKEY and r.STATUS=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Rule' as attribute, case when type=0 then concat( h.NAME,' TYPE:BUSINESS') when type=1 then concat( h.NAME,' TYPE:TECHNICAL') when type=2 then concat( h.NAME,' TYPE:USER UPDATE') when type=3 then concat( h.NAME,' TYPE:NEW USER') when type=4 then concat( h.NAME,' TYPE:REMOVE USER') when type=5 then concat( h.NAME,' TYPE:UPDATE ENTITLEMENT') when type=6 then concat( h.NAME,' TYPE:NEW ENTITLEMENT') when type=7 then concat( h.NAME,' TYPE:REMOVE ENTITLEMENT') when type=8 then concat( h.NAME,' TYPE:REQUEST') end as entitlementvalue, u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from hanarule h, users u, rule_owners ro where u.USERKEY = ro.USERKEY and h.HANARULEKEY=ro.RULEKEY and h.status=0  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'UserGroup' as attribute, ug.user_groupname as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate,u.username as objectguid from users u, user_groups ug, usergroup_owners ugo where ug.usergroupkey=ugo.USERGROUPKEY and ugo.USERKEY =u.userkey  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'SAVRole' as attribute, s.rolename as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate,u.username as objectguid from users u, user_savroles us, savroles s where u.userkey=us.userkey and us.rolekey=s.rolekey and s.statuskey=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Risk' as attribute, concat(r.RISKNAME,' RULESET:',rs.RULESET)  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from risks r, users u , riskowners ro,rulesets rs where r.RULESETKEY=rs.RULESETKEY and u.USERKEY = ro.OWNERUSERKEY and r.RISKID = ro.RISKID and r.status=0  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Function' as attribute, concat(f.FUNCTION_NAME,' RULESET:',rs.RULESET)  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from functions f, users u, rulesets rs where  f.RULESETKEY=rs.RULESETKEY and f.OWNER = u.USERKEY and f.ownertype=1 and f.status=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'BusinessProcess' as attribute, b.BUSPROCNAME  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from busprocs b, users u , bp_owners bo where u.USERKEY = bo.USERKEY and b.BUSPROCKEY = bo.BUSPROCKEY and b.status=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name,
 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'JRM' as attribute, j.JRMRULENAME  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from jrmrules j, users u  where u.USERKEY = j.owner ;  		 ]]>
    </sql-query>

    <mapper description="This is the mapping field for Saviynt Field name" accountnotinfileaction="delete" deleteaccountentitlement="true" addOnlyMode="FALSE"  ifusernotexists="noaction" incrementalcolumn="updatedate" systems="'SaviyntforSaviynt'">
    <mapfield saviyntproperty="accounts.name" sourceproperty="accountname" type="character"></mapfield>
    <mapfield saviyntproperty="securitysystems.systemname" sourceproperty="name" type="character"></mapfield>
    <mapfield saviyntproperty="endpoints.endpointname" sourceproperty="endpointname" type="character"></mapfield>
    <mapfield saviyntproperty="entitlementtypes.entitlementname" sourceproperty="attribute" type="character"></mapfield>
    <mapfield saviyntproperty="entitlementvalues.entitlementvalue" sourceproperty="entitlementvalue" type="character"></mapfield>
    <mapfield saviyntproperty="users.username" sourceproperty="username" type="character"></mapfield>
 	<mapfield saviyntproperty="accounts.status" sourceproperty="status" type="number"></mapfield>
	<mapfield saviyntproperty="accounts.accountID" sourceproperty="accountcn" type="character"></mapfield>
	<mapfield saviyntproperty="accounts.displayname" sourceproperty="objectguid" type="character"></mapfield>
	
    </mapper>
	
    <after-import description="EMAIL,BATCH,SQL">

    </after-import>
	
</dataMapping>

This is set in Endpoint - Correlation RULE


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

So I need to set fa User Account correlation rule fromn User.EmployeeId to Account.CustomProperty (EmployeeId)?

In your mapping I don't see email is even used. If I understand your statement correctly you are saying if someone has email changed then you are seeing two accounts under accounts tab of that user for Saviynt application? 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Jillustre
New Contributor III
New Contributor III

Exactly. I've try several time, change an email on dev environment for a user 2-3 time and when I execute the job SaviyntForSaviyntAccountsFullImportJobTrigger, it create a new account for Endpoint Saviynt with the new email.

 I doubt that this account import job is creating multiple accounts.

Can you share screenshot of one such example with any customer sensitive data masked.

Also what is your user account correlation rule?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Jillustre
New Contributor III
New Contributor III

Jillustre_0-1670964163860.png

No user account correlation rule is set.

Please set below account correlation rule

rushikeshvartak_0-1670964552176.png

 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Looking at above screenshot I see account name is having email value does that mean that you are storing email in username field?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

If username field is having email value then you may need to modify the query to pull employeeid and map that with accountname field 

Modify the query as below and see if that fixes the issue

SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Role' AS attribute,
r.ROLE_NAME AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM users u,
ROLES r,
role_owners rw
WHERE u.userkey=rw.USERKEY
AND r.ROLEKEY=rw.ROLEKEY
AND r.STATUS=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Rule' AS attribute,
CASE
WHEN TYPE=0 THEN concat(h.NAME, ' TYPE:BUSINESS')
WHEN TYPE=1 THEN concat(h.NAME, ' TYPE:TECHNICAL')
WHEN TYPE=2 THEN concat(h.NAME, ' TYPE:USER UPDATE')
WHEN TYPE=3 THEN concat(h.NAME, ' TYPE:NEW USER')
WHEN TYPE=4 THEN concat(h.NAME, ' TYPE:REMOVE USER')
WHEN TYPE=5 THEN concat(h.NAME, ' TYPE:UPDATE ENTITLEMENT')
WHEN TYPE=6 THEN concat(h.NAME, ' TYPE:NEW ENTITLEMENT')
WHEN TYPE=7 THEN concat(h.NAME, ' TYPE:REMOVE ENTITLEMENT')
WHEN TYPE=8 THEN concat(h.NAME, ' TYPE:REQUEST')
END AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM hanarule h,
users u,
rule_owners ro
WHERE u.USERKEY = ro.USERKEY
AND h.HANARULEKEY=ro.RULEKEY
AND h.status=0
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'UserGroup' AS attribute,
ug.user_groupname AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM users u,
user_groups ug,
usergroup_owners ugo
WHERE ug.usergroupkey=ugo.USERGROUPKEY
AND ugo.USERKEY =u.userkey
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'SAVRole' AS attribute,
s.rolename AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM users u,
user_savroles us,
savroles s
WHERE u.userkey=us.userkey
AND us.rolekey=s.rolekey
AND s.statuskey=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Risk' AS attribute,
concat(r.RISKNAME, ' RULESET:', rs.RULESET) AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM risks r,
users u,
riskowners ro,
rulesets rs
WHERE r.RULESETKEY=rs.RULESETKEY
AND u.USERKEY = ro.OWNERUSERKEY
AND r.RISKID = ro.RISKID
AND r.status=0
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Function' AS attribute,
concat(f.FUNCTION_NAME, ' RULESET:', rs.RULESET) AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM functions f,
users u,
rulesets rs
WHERE f.RULESETKEY=rs.RULESETKEY
AND f.OWNER = u.USERKEY
AND f.ownertype=1
AND f.status=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'BusinessProcess' AS attribute,
b.BUSPROCNAME AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM busprocs b,
users u,
bp_owners bo
WHERE u.USERKEY = bo.USERKEY
AND b.BUSPROCKEY = bo.BUSPROCKEY
AND b.status=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'JRM' AS attribute,
j.JRMRULENAME AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM jrmrules j,
users u
WHERE u.USERKEY = j.owner ;

Also mapping as below


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.