Some entitlement Names as the dn rather than the SAMAccountName

mrahulbb · June 13, 2024, 12:49pm

Few sources show some entitlement Names as the dn rather than the SAMAccountName.
How can we fix this?

WyssAJ01 · June 13, 2024, 12:50pm

Have you run an entitlement aggregation yet?

The other thing you want to check is to make sure that your group aggregation settings contain the OU that those groups are in.

mrahulbb · June 13, 2024, 1:02pm

NO, we havent run any aggregation

WyssAJ01 · June 13, 2024, 1:14pm

Ok, start with running an entitlement aggregation and see if that resolves your issue.

If that doesn’t resolve your issue, then click on edit configruation, go to account and group settings, then add the needed OUs to the group search scope at the bottom of that page.

mrahulbb · June 13, 2024, 1:25pm

After adding OUs can we see the Entitlements Name instead of OUs name

mrahulbb · June 13, 2024, 1:30pm

We are able to see only "Cn= " values instead of names

jsosa · June 13, 2024, 2:42pm

Hi Mekala, this happens when users have groups that are not in the group base dn/search filter.

For example, if you already did not trigger an entitlement aggregation, but you perform an account aggregation, groups hold by users will populate entitlement list. As aggregation only reads memberOf attribute, which have a DN value type, they will appear as you are seeing.

If you run entitlement aggregation, the groups thar are under your base DN (for example, ou=groups,…,dc=domain,dc=com) will appear with the CN value as their name. But if users aggregated has other groups, for example the cn=domain users,cn=users,dc=domain,dc=com, will appear as DN.

Perhaps you should perform a cleanup of the aggregated objects (this is a call on the private api, I am not sure if it is already moved to beta or v3 api), it will reset to 0 any aggregation you performed, then first do the entitlement aggregation and next, the account aggregation.

mrahulbb · June 14, 2024, 4:05pm

we have only V3 and beta i am unabe to see above option in those APIs

jsosa · June 17, 2024, 12:44pm

Hi Mekala, here are the calls. First one is to search sources, because id for private calls are not the same as the id returned in beta/v3. Authoritazion is like beta/v4 apis, so you can clone some call and modify urls.

Find your source id with this calll:
GET https://{{tenant}}.api.identitynow.com/cc/api/source/list

For resetting aggregated objects, use id returned in last call here:
POST https://{{tenant}}.api.identitynow.com/cc/api/source/reset/{id}

system · August 16, 2024, 12:44pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD display name in entitlements, DN vs CN/sAMAccountName? ISC Discussion and Questions aggregation , identity-security-cloud	5	238	June 16, 2024
Samaccount and distinguish name Generation ISC Discussion and Questions identity-security-cloud	9	313	April 26, 2024
Rename sAMAccountName ISC Discussion and Questions	4	4380	July 19, 2023
Generate sAMAccountName not populated in the AD attributes DN and CN ISC Discussion and Questions identity-security-cloud , provisioning	7	320	June 4, 2024
Access Profiles: Entitlements missing after source entitlement aggregation ISC Discussion and Questions aggregation , identity-security-cloud , access-profiles , access-requests , entitlements	7	115	November 17, 2024

Some entitlement Names as the dn rather than the SAMAccountName

Related topics