My team is experiencing issues with groups that are supposed to be filtered out of SailPoint showing as their guid numbers because the system does not recognize them anymore.
We have done a reset of the entitlements and re-aggregated as well but still getting the guid issue for all groups that should not be coming into SailPoint.
How are you filtering them? From the source configuration?
Hi Sophia,
During aggregation, We can use account.filterString or group.filterString to apply filters for these particular objects.
Can you please explain the problem statement clearly?
Thanks.
We are attempting to filter the groups being aggregated through our identity source and then aggregation settings and then advanced group filters. Every time, we add syntax for a new group filter, the entitlement shows as a guid display name.
It sounds like they’re coming in through account aggregation. When an entitlement is first aggregated during account aggregation because one or more accounts has that entitlement, it creates a “shell” of the entitlement with only the id value populated. This is typically a placeholder value until entitlement aggregation populates the rest of the data (name, description, etc.).
If this is what’s causing your issue, you have to solve it at the connector level via entitlement membership filters. This is not a universal feature across connectors, but for example, is supported in the Active Directory connector and the Entra ID connector after a recent update.
Thank you! I will take a look.