Data merging in JDBC source for MSSQL DB

Hello All,

I’m struggling with entitlement aggregation for MSSQL database in JDBC source. To be honest: i was able to aggregate them but only one value for multi-valued attribute. Basically i was following the steps and discussion in following topics Aggregate Entitlement and Accounts from JDBC Source - #15 by pbourgi and Writing SQL Queries for JDBC Connectors by @Bakhari

Thing i’ve done

1. Set Account query - successfully aggregate 7 accounts:

SELECT
  u.UserId,
  u.UserName,
  m.Email,  -- Added Email column from aspnet_Membership
  
FROM
  dbo.vw_aspnet_UsersInRoles ur
  LEFT JOIN dbo.vw_aspnet_Roles r ON r.RoleId=ur.RoleId
  LEFT JOIN dbo.vw_aspnet_Applications a ON a.ApplicationId=r.ApplicationId
  LEFT JOIN dbo.vw_aspnet_Users u ON u.UserId=ur.UserId
  LEFT JOIN dbo.aspnet_Membership m ON m.UserId=ur.UserId
WHERE
  a.ApplicationName='/DWISE'
;

2. Create new entitlement type called “RoleName” and add it to Account Schema and set it as “Entiltement” and “multi-valued”

3. Crate group SQL query for RoleName

SELECT

  r.RoleName
FROM
  dbo.vw_aspnet_UsersInRoles ur
  LEFT JOIN dbo.vw_aspnet_Roles r ON r.RoleId=ur.RoleId
  LEFT JOIN dbo.vw_aspnet_Applications a ON a.ApplicationId=r.ApplicationId
  LEFT JOIN dbo.vw_aspnet_Users u ON u.UserId=ur.UserId
WHERE
  a.ApplicationName='/DWISE'
;

Result for Account Aggregation for both queries is following: i’m able to aggregate accounts and assigned roleName but only one value.

QUESTION:
Some of the users have two roles (for example JXIN is having RISK and VIEWER roles.
What am i missing in my query or configuration?
Many thanks for support

Hi @radoslaw_klimkowski,

Can you show the merging configuration that you have in place?

Thanks

@ashutosh08 sorry for asking this but what exacly is merging config? All i have is account and grup sql queries

Just check below screenshot for your reference.

image700×343 21.4 KB

@ashutosh08 unfortulatelly Identity Security Cloud does not have this option

My bad I did not saw the tag.

Have you gone through below link configuration.

@ashutosh08 yes, i did however it’s hard for me to put a finger on that keys

Can you post some images of the following on the Source?

1. Account Schema
2. Entitlement Schema
3. Two users and what the Entitlements look like on their account

Thanks!

@Bakhari

1. Account Schema is just basic attributes
   

   

   image1643×465 20.5 KB

2. Entitlement config

image1850×268 11.4 KB

3. Output from DB accounts
   
   

   image813×557 155 KB

Many thanks for support

From what I can tell, it looks like your Entitlement Config is not completely set up. You need to add at least one attribute under your Entitlement Type for the correlation between Account/Entitlement to work.
In your case, it looks like you need to add an attribute called “RoleName”, since the SQL query for your Entitlement Type only selects that:

SELECT

  r.RoleName
FROM
  dbo.vw_aspnet_UsersInRoles ur
  LEFT JOIN dbo.vw_aspnet_Roles r ON r.RoleId=ur.RoleId
  LEFT JOIN dbo.vw_aspnet_Applications a ON a.ApplicationId=r.ApplicationId
  LEFT JOIN dbo.vw_aspnet_Users u ON u.UserId=ur.UserId
WHERE
  a.ApplicationName='/DWISE'
;

So follow these steps to fix:

1. Add the “RoleName” attribute to your Entitlement Type. (Needs to match the exact name from the SQL Query.)
2. Make sure you set that new attribute to “Entitlement Name” and “Entitlement ID” (If you don’t want the “RoleName” to be both the “Entitlement Name” and “Entitlement ID” then you need to SELECT an ID column in your SQL QUERY. (Remember: if you do that, you have to add that ID name to the attributes on your Entitlement Types and it has to match the ID name in the SQL query exactly.))
3. Mark “RoleName” as the Entitlement.
4. Run the API to Reset all Accounts on the Source: delete-accounts-async | SailPoint Developer Community
5. Run the API to Reset all Entitlements on the Source: reset-source-entitlements | SailPoint Developer Community
6. Run the Entitlement Aggregation
7. Run the Account Aggregation
8. ???
9. Profit!

This should fix the issue. Let me know!

FYI: Steps 8 nd 9 are supposed to be a joke from an old dead meme.

hello @Bakhari

I proceed with steps provided by you and here’s the results:

1. Added RoleName attribute to RoleName entitlement type
2. Set entitlement attribute RoleName to “Entitlement Name” and “Entitlement ID”
3. done
4. done
5. done
6. done
7. done
8. definitelly done
9. profit i guess

The results are:

1. No errors during entitlement aggregation

• no multiplied entitlement in the list 2024-06-18-10-05-23-Sandbox-entilement hosted at ImgBB — ImgBB

2. No errors during account aggregation, no duplicated accounts

However:

1. as a Account Query i have to use following to concatenate all roles to single account:

  SELECT
  u.UserId,
  u.UserName,
  MAX(m.Email) AS Email,
  STRING_AGG(r.RoleName, ', ') AS RoleName 
FROM
  dbo.vw_aspnet_UsersInRoles ur
LEFT JOIN dbo.vw_aspnet_Roles r ON r.RoleId=ur.RoleId
LEFT JOIN dbo.vw_aspnet_Applications a ON a.ApplicationId=r.ApplicationId
LEFT JOIN dbo.vw_aspnet_Users u ON u.UserId=ur.UserId
LEFT JOIN dbo.aspnet_Membership m ON m.UserId=ur.UserId
WHERE
  a.ApplicationName='/DWISE'
GROUP BY 
  u.UserId,
  u.UserName;

Group SQL query look like below:

SELECT
  r.RoleName
FROM
  dbo.vw_aspnet_UsersInRoles ur
  LEFT JOIN dbo.vw_aspnet_Roles r ON r.RoleId=ur.RoleId
  LEFT JOIN dbo.vw_aspnet_Applications a ON a.ApplicationId=r.ApplicationId
  LEFT JOIN dbo.vw_aspnet_Users u ON u.UserId=ur.UserId
WHERE
  a.ApplicationName='/DWISE'
;

RESULT:

• Entilement are aggregated without multiplication
• As a drawback (or is it?) In Account detais in Entitlement section i do not see anything but still there’s value in account attribute RoleName 2024-06-18-10-02-39-Sandbox-account hosted at ImgBB — ImgBB

Is it should looks like that ?

Yes and no.

What this means is that your Account SQL Query successfully aggregated all users and RoleNames from the database.
It also means your Group/Entitlement SQL Query successfully aggregated all entitlements from the database.

However, there was an issue with tying the Entitlements to the Accounts in ISC.

There are several reason why this might happen, but instead of guessing at the answer, you’ll want to walk through triage/troubleshooting steps first. I would start with Resetting Accounts and Entitlements again…

Then Aggregate Accounts first this time.
Then Aggregate Entitlements next.
Test again and let me know.

I reset accounts and entitlements and i aggregate them in following sequence:

1. Accounts
2. Entitlements

Here’s what i get:
Account details look like this: 2024-06-18-17-01-58-Sandbox-acc-details hosted at ImgBB — ImgBB
Entilements look like this: 2024-06-18-17-03-20-Sandbox-entitle hosted at ImgBB — ImgBB

looks good to me! Is that not what you’re expecting? It looks perfect to me!

Hi @radoslaw_klimkowski

Maybe if you are expecting something like this where you want the roles to be treated as individual entities rather than single entity separated by comma, then can you try using this account query if you are allowed to change: (Make sure the RoleName is marked multi-valued in account schema).

SELECT
  u.UserId,
  u.UserName,
  m.Email, 
  r.RoleName
FROM
  dbo.vw_aspnet_UsersInRoles ur
  LEFT JOIN dbo.vw_aspnet_Roles r ON r.RoleId=ur.RoleId
  LEFT JOIN dbo.vw_aspnet_Applications a ON a.ApplicationId=r.ApplicationId
  LEFT JOIN dbo.vw_aspnet_Users u ON u.UserId=ur.UserId
  LEFT JOIN dbo.aspnet_Membership m ON m.UserId=ur.UserId
WHERE
  a.ApplicationName='/DWISE'
ORDER BY u.UserId
;

Though this query will give you multiple entries for a user with RoleNome being unique in each entry, something like

|UserId | UserName | Email | RoleName|
|101 | Alice | [email protected] | Admin|
|101 | Alice | [email protected] | User|

I guess SailPoint itself should be able to handle multiple group assignment to the accounts with no accounts being duplicated. It should work for any sources using SQL like JDBC or SQL Loader.

If this is what you expect, then you can make your group query simple too by just selecting all from the dbo.vw_aspnet_Roles table.

Thanks!

Hello @varshini303. This is what exactly i’ve been looking for. Thank You so much

At this moment i have aggregated 4 entitlements without mulitplication and all groups are listed separatelly in account details

@Bakhari many thanks as well for providing excellent support on this case. Profit for sure!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.