Saviynt Forums

Jillustre · ‎12-13-2022

In out saviyntforsaviynt connection, in AccountImport, there is no userReconcillationField. We have one in USERIMPORT, set on username. Tried to change it for employeeId with no success.

We want that change because right now someone can have an email change and it create a new account instead of reconciliating it with employeeId when we execute SaviyntForSaviyntAccountsFullImportJobTrigger

The change need to be in USERIMPORT or ACCOUNTIMPORT?

thanks

rushikeshvartak · ‎12-13-2022

You can change in accountsImport

https://saviynt.freshdesk.com/support/solutions/articles/43000617705-database-connector-guide#Databa...

Regards,

Rushikesh Vartak

Jillustre · ‎12-13-2022

We have this for AccountImport. What need to be change?

<dataMapping>
    <before-import>

    </before-import>
    <sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="name" >
        <![CDATA[    select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Role' as attribute,r.ROLE_NAME  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from users u, roles r, role_owners rw where u.userkey=rw.USERKEY and r.ROLEKEY=rw.ROLEKEY and r.STATUS=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Rule' as attribute, case when type=0 then concat( h.NAME,' TYPE:BUSINESS') when type=1 then concat( h.NAME,' TYPE:TECHNICAL') when type=2 then concat( h.NAME,' TYPE:USER UPDATE') when type=3 then concat( h.NAME,' TYPE:NEW USER') when type=4 then concat( h.NAME,' TYPE:REMOVE USER') when type=5 then concat( h.NAME,' TYPE:UPDATE ENTITLEMENT') when type=6 then concat( h.NAME,' TYPE:NEW ENTITLEMENT') when type=7 then concat( h.NAME,' TYPE:REMOVE ENTITLEMENT') when type=8 then concat( h.NAME,' TYPE:REQUEST') end as entitlementvalue, u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from hanarule h, users u, rule_owners ro where u.USERKEY = ro.USERKEY and h.HANARULEKEY=ro.RULEKEY and h.status=0  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'UserGroup' as attribute, ug.user_groupname as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate,u.username as objectguid from users u, user_groups ug, usergroup_owners ugo where ug.usergroupkey=ugo.USERGROUPKEY and ugo.USERKEY =u.userkey  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'SAVRole' as attribute, s.rolename as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate,u.username as objectguid from users u, user_savroles us, savroles s where u.userkey=us.userkey and us.rolekey=s.rolekey and s.statuskey=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Risk' as attribute, concat(r.RISKNAME,' RULESET:',rs.RULESET)  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from risks r, users u , riskowners ro,rulesets rs where r.RULESETKEY=rs.RULESETKEY and u.USERKEY = ro.OWNERUSERKEY and r.RISKID = ro.RISKID and r.status=0  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'Function' as attribute, concat(f.FUNCTION_NAME,' RULESET:',rs.RULESET)  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from functions f, users u, rulesets rs where  f.RULESETKEY=rs.RULESETKEY and f.OWNER = u.USERKEY and f.ownertype=1 and f.status=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name, 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'BusinessProcess' as attribute, b.BUSPROCNAME  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from busprocs b, users u , bp_owners bo where u.USERKEY = bo.USERKEY and b.BUSPROCKEY = bo.BUSPROCKEY and b.status=1  union   select distinct u.username as accountname, 'SaviyntforSaviynt' as name,
 'SaviyntforSaviynt' as endpointname,u.username as accountcn, 'JRM' as attribute, j.JRMRULENAME  as entitlementvalue,u.username as username, u.statuskey as status, u.updatedate, u.username as objectguid from jrmrules j, users u  where u.USERKEY = j.owner ;  		 ]]>
    </sql-query>

    <mapper description="This is the mapping field for Saviynt Field name" accountnotinfileaction="delete" deleteaccountentitlement="true" addOnlyMode="FALSE"  ifusernotexists="noaction" incrementalcolumn="updatedate" systems="'SaviyntforSaviynt'">
    <mapfield saviyntproperty="accounts.name" sourceproperty="accountname" type="character"></mapfield>
    <mapfield saviyntproperty="securitysystems.systemname" sourceproperty="name" type="character"></mapfield>
    <mapfield saviyntproperty="endpoints.endpointname" sourceproperty="endpointname" type="character"></mapfield>
    <mapfield saviyntproperty="entitlementtypes.entitlementname" sourceproperty="attribute" type="character"></mapfield>
    <mapfield saviyntproperty="entitlementvalues.entitlementvalue" sourceproperty="entitlementvalue" type="character"></mapfield>
    <mapfield saviyntproperty="users.username" sourceproperty="username" type="character"></mapfield>
 	<mapfield saviyntproperty="accounts.status" sourceproperty="status" type="number"></mapfield>
	<mapfield saviyntproperty="accounts.accountID" sourceproperty="accountcn" type="character"></mapfield>
	<mapfield saviyntproperty="accounts.displayname" sourceproperty="objectguid" type="character"></mapfield>
	
    </mapper>
	
    <after-import description="EMAIL,BATCH,SQL">

    </after-import>
	
</dataMapping>

rushikeshvartak · ‎12-13-2022

This is set in Endpoint - Correlation RULE

Regards,

Rushikesh Vartak

Jillustre · ‎12-13-2022

So I need to set fa User Account correlation rule fromn User.EmployeeId to Account.CustomProperty (EmployeeId)?

sk · ‎12-13-2022

In your mapping I don't see email is even used. If I understand your statement correctly you are saying if someone has email changed then you are seeing two accounts under accounts tab of that user for Saviynt application?

Regards,
Saathvik

Jillustre · ‎12-13-2022

Exactly. I've try several time, change an email on dev environment for a user 2-3 time and when I execute the job SaviyntForSaviyntAccountsFullImportJobTrigger, it create a new account for Endpoint Saviynt with the new email.

sk · ‎12-13-2022

I doubt that this account import job is creating multiple accounts.

Can you share screenshot of one such example with any customer sensitive data masked.

Also what is your user account correlation rule?

Regards,
Saathvik

Jillustre · ‎12-13-2022

No user account correlation rule is set.

rushikeshvartak · ‎12-13-2022

Please set below account correlation rule

Regards,

Rushikesh Vartak

sk · ‎12-13-2022

Looking at above screenshot I see account name is having email value does that mean that you are storing email in username field?

Regards,
Saathvik

sk · ‎12-13-2022

If username field is having email value then you may need to modify the query to pull employeeid and map that with accountname field

Modify the query as below and see if that fixes the issue

SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Role' AS attribute,
r.ROLE_NAME AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM users u,
ROLES r,
role_owners rw
WHERE u.userkey=rw.USERKEY
AND r.ROLEKEY=rw.ROLEKEY
AND r.STATUS=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Rule' AS attribute,
CASE
WHEN TYPE=0 THEN concat(h.NAME, ' TYPE:BUSINESS')
WHEN TYPE=1 THEN concat(h.NAME, ' TYPE:TECHNICAL')
WHEN TYPE=2 THEN concat(h.NAME, ' TYPE:USER UPDATE')
WHEN TYPE=3 THEN concat(h.NAME, ' TYPE:NEW USER')
WHEN TYPE=4 THEN concat(h.NAME, ' TYPE:REMOVE USER')
WHEN TYPE=5 THEN concat(h.NAME, ' TYPE:UPDATE ENTITLEMENT')
WHEN TYPE=6 THEN concat(h.NAME, ' TYPE:NEW ENTITLEMENT')
WHEN TYPE=7 THEN concat(h.NAME, ' TYPE:REMOVE ENTITLEMENT')
WHEN TYPE=8 THEN concat(h.NAME, ' TYPE:REQUEST')
END AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM hanarule h,
users u,
rule_owners ro
WHERE u.USERKEY = ro.USERKEY
AND h.HANARULEKEY=ro.RULEKEY
AND h.status=0
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'UserGroup' AS attribute,
ug.user_groupname AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM users u,
user_groups ug,
usergroup_owners ugo
WHERE ug.usergroupkey=ugo.USERGROUPKEY
AND ugo.USERKEY =u.userkey
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'SAVRole' AS attribute,
s.rolename AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM users u,
user_savroles us,
savroles s
WHERE u.userkey=us.userkey
AND us.rolekey=s.rolekey
AND s.statuskey=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Risk' AS attribute,
concat(r.RISKNAME, ' RULESET:', rs.RULESET) AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM risks r,
users u,
riskowners ro,
rulesets rs
WHERE r.RULESETKEY=rs.RULESETKEY
AND u.USERKEY = ro.OWNERUSERKEY
AND r.RISKID = ro.RISKID
AND r.status=0
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'Function' AS attribute,
concat(f.FUNCTION_NAME, ' RULESET:', rs.RULESET) AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM functions f,
users u,
rulesets rs
WHERE f.RULESETKEY=rs.RULESETKEY
AND f.OWNER = u.USERKEY
AND f.ownertype=1
AND f.status=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'BusinessProcess' AS attribute,
b.BUSPROCNAME AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM busprocs b,
users u,
bp_owners bo
WHERE u.USERKEY = bo.USERKEY
AND b.BUSPROCKEY = bo.BUSPROCKEY
AND b.status=1
UNION
SELECT DISTINCT u.employeeid AS accountname,
'SaviyntforSaviynt' AS name,
'SaviyntforSaviynt' AS endpointname,
u.employeeid AS accountcn,
'JRM' AS attribute,
j.JRMRULENAME AS entitlementvalue,
u.username AS username,
u.statuskey AS status,
u.updatedate,
u.employeeid AS objectguid
FROM jrmrules j,
users u
WHERE u.USERKEY = j.owner ;

Also mapping as below

Regards,
Saathvik

Saviynt Forums

saviynt for saviynt reconciliation