Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Storing DN in entitlement_value: Character Limit and Best Practices required

Go to solution
Roua
Regular Contributor
Regular Contributor

‎09/23/2024 04:10 AM

I've encountered an issue with storing the Distinguished Name (DN) for entitlements in Saviynt, which seems to be a common challenge. In Active Directory, a DN can be up to 1024 characters long, but in Saviynt, the entitlement_value field is limited to 255 characters. I've seen posts where this has already been raised as an idea, and I’m aware that we can use (CP1)  - (CP5) as alternatives.

However, I have a couple of questions:

1) Impact on Import Process: What happens when an entitlement is mapped to a DN that exceeds 255 characters? Will it disrupt the entire import process, or will it just skip that specific entitlement?

2) CP1 as a Unique Key for Account Assignment: If we map the DN to CP1, will CP1 then serve as the unique key for account access assignments? Since the entitlement_valuekey is used for assignments in Saviynt, and the DN is typically the unique key in AD, using something like the CN in entitlement_value instead wouldn’t work.

What would be the recommended approach for this scenario?

Any guidance or best practices on handling this would be greatly appreciated!

Labels:
0 Kudos
2 REPLIES 2

Go to solution
pruthvi_t
Saviynt Employee
Saviynt Employee

‎09/24/2024 01:14 PM

Hi @Roua ,

Greetings.

If the DN exceeds the characters of data type for entitlement value, then the import status shows that it is failed due to data too long.

For 2, could you please elaborate on the query. Because for entitlements import for AD, we suggest ObjectGUID to be mapped to entitlementid and use it as 'Reconciliation filed' in imports. So not sure how CP1 being mapped with DN would affect the access assignments. 

Thanks


Regards,
Pruthvi

Go to solution
Roua
Regular Contributor
Regular Contributor
In response to pruthvi_t

‎09/25/2024 12:47 AM - edited ‎09/25/2024 12:48 AM

Thank you for your answer we already communicated with a saviynt supporter and they said if it is required we can open a ticket and they can adjust it, but this is just for the future if someone is looking for an answer.
because for us we discussed this with our client and they made sure that all DN's are below 255.

 

0 Kudos
Copyright © 2024 Khoros, LLC