Saviynt Forums

Thanks for your reply, but this does not answer my question?

If I use the Global Reader DirectoryRole entitlement and look at the child entitlements, for example.. what does that have to do with what I'm looking for?

I am looking to understand why there are over 100 Microsoft built in DirectoryRoles, yet my Saviynt instances only display approx 30~.

• Did you added any filters on connection level or Job control panel
• Please validate Entitlement Filter query on connection level.

Hi,

Any import jobs are complete imports and I see nothing to exclude any DirectoryRole etc.

The ENTITLEMENT_ATTRIBUTE on the connection looks standard. And the ENTITLEMENT_FILTER_JSON is blank (as expected).

• You mean specific DirectoryRoles can't be excluded ?

I meant that I see nothing to indicate my instance is excluding any Directory Role entitlements.

Please validate in 24.x latest version

My bad. We are v24.5

Hi @slovelace

After doing some further tests, I have came to the conclusion that the DirectoryRoles will NOT populate in Saviynt, unless the role gets assigned to someone/PIM in EntraID. Only then will it populate.

It would be great if you're able to test this on your side, to confirm the behaviour.

That is what we were suspecting. We also noticed that if the role is "eligible" but not active, it does not populate on the user. Perhaps this is also why some of them show up but are blank? This just failed QA tests yesterday so purely speculation on our part at the moment.

Will keep poking around and trying new things.

"We also noticed that if the role is "eligible" but not active, it does not populate on the user."

This behaviour was also noted. Unless it's active at the point of the EntraID sync, it'll show as not assigned to anyone.

Seems a bit odd. Means it's just a matter of luck if we know appropriate PIM roles then, and they can disappear just as fast on the next sync. Hmmmmmm.