Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
No ratings
SB
Saviynt Employee
Saviynt Employee
Detailed Question: Is there any way to use the ENDPOINT FILTER attribute in AD connection, but instead of using the memberOf attribute, it uses any other attribute in an AD group ? The filtering for child endpoints will be done based on that attribute .
 
If this is not supported using the endpoint filter. can any other JSON like groupImportMapping be used? The requirement is : The AD groups having a common attribute value (e.g. a set of AD groups for which 'INFO' attribute has the value 'XYZ') should be imported into a separate endpoint (the groups as well as the associated accounts) , and this endpoint should be requestable and certifiable separately.
 
Answer: If you are able to search with the filter in your LDAP browser, you should be able to use the same under ENDPOINT FILTER to pull the Groups accordingly.

Use the same filter as you are using in the LDAP browser under ENDPOINTS_FILTER config in AD Connection. Replace the memberOf string below with the search filter value you are using in LDAP browser.

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

 
Comments
SB
Saviynt Employee
Saviynt Employee

If you are able to search with the filter in your LDAP browser, you should be able to use the same under ENDPOINT FILTER to pull the Groups accordingly.

rushikeshvartak
All-Star
All-Star

What is solution ?

SB
Saviynt Employee
Saviynt Employee

Use the same filter as you are using in the LDAP browser under ENDPOINTS_FILTER config in AD Connection. Replace the memberOf string below with the search filter value you are using in LDAP browser.

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

 

rushikeshvartak
All-Star
All-Star

Post says we need to update groupImportMapping also?

SB
Saviynt Employee
Saviynt Employee

No changes are required for groupImportMapping. I have also updated the original post to highlight the query and Suggestion.

 

rushikeshvartak
All-Star
All-Star

Thanks for edit

rushikeshvartak
All-Star
All-Star

Can we use any other attribute of entitlement instead of entitlement_value

SB
Saviynt Employee
Saviynt Employee

Can you explain a little more on where you want to use the attribute.

rushikeshvartak
All-Star
All-Star

We want endpoint_filter to be done on specific custom property other than entitlement_value

 

example

if entitlement customproperty1 will be application name 

business use case- it won’t be possible to change group name in ad , as those used by many applications

SB
Saviynt Employee
Saviynt Employee

The ENDPOINTS_FILTER works on the LDAP query and does not have any dependency on Saviynt attributes. The best way to test this is to run your filter query in LDAP browser and then use that same query in Saviynt. Replace memberOf with your AD attribute you used in your LDAP browser and CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local with the value you searched with.

 

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

rushikeshvartak
All-Star
All-Star

{
"AWS Azure": [
{
"displayName": [
"aws%"
]
}
]
}

 

I have tested this ,it does not work here displayName is expected as entitlement Type 

SB
Saviynt Employee
Saviynt Employee

Can you try using the below  once. 

{
"AWS Azure": [
{
"memberOf": [
"displayName=aws%"
]
}
]
}

rushikeshvartak
All-Star
All-Star

Its not working it made all groups inactive

SB
Saviynt Employee
Saviynt Employee

And just to be sure, was this same filter returning the data in LDAP browser?

If it was, we may need to check this further if there are any code dependencies. Can you please confirm.

rushikeshvartak
All-Star
All-Star

I am testing for azure AD. 

SB
Saviynt Employee
Saviynt Employee

Are you using AD connector or AzureAD  connector?

 

rushikeshvartak
All-Star
All-Star

AzureAD  connector

SB
Saviynt Employee
Saviynt Employee

I would recommend you to reach out to Saviynt implementation team, since it will not be a standard solution.

Please note, the filter you wish to use should also be supported by Graph API before you can check for integration with Saviynt. For information about the filter conditions that Microsoft supports, see basic query in the Microsoft documentation.

biswajitoram
New Contributor III
New Contributor III

Hi @SB @rushikeshvartak 

Is there any possibility of adding multiple memberOf conditions for an AD endpoint filter? We want to provide access to multiple AD filter for a single endpoint.

For example 

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local" OR "CN=PCL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

haardik_verma
Regular Contributor
Regular Contributor

Hi @SB can you please share an example of using LDAP query in the json in Endpoints_Filter?

In the original article, I still see the example using memberOf

{
"Sampletest AD Application": [
{
"memberOf": [
"CN=ACL_Okta_%,OU=Okta,OU=Resources,OU=gh,DC=test,DC=local"
]
}
]
}

Version history
Last update:
‎01/24/2023 04:35 PM
Updated by:
Saviynt Employee
Contributors