We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Did you know? You have the ability to Create and Manage AD groups

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 10 2020 at 15:17 UTC


1. What is AD Group Management?


Saviynt provides the ability to onboard new AD groups and administer already existing AD groups in customer’s enterprise, thereby making Saviynt the single source of truth for creating and managing AD groups


2. What are the operations supported in AD group management?


Saviynt provides the capability to add, edit and delete AD group, metadata of groups, owner of groups, child of groups, parent of groups and accounts to groups


3. What are the types of AD groups that can be created/managed by Saviynt?


Saviynt supports creation and management for below 6 flavors of AD groups based on type and scope

Security Global

Security Universal

Security Domain Local

Distribution Global

Distribution Universal

Distribution Domain Local


4. What is nesting in AD groups?


Adding a group as a member of another group is called nesting


5. Do we support creation and management of nested Active Directory Groups?


Yes, we support creation and management of nested AD groups up to 2 levels of nesting


6. How many parent or child AD groups can we add?


We can add as many parent and child groups to a group


7. How do we create an AD group in Saviynt?


Once the prerequisites for creating a group are met as per the document shared below, we create a role of type “Entitlement” for each AD group we create via Saviynt from ARS>Create Role> Create AD Groups tile.

Upon approval of role creation request, new group is provisioned to the AD and an entitlement with same name is create in AD application



9. How do we edit an AD group in Saviynt?


Go to ARS>Manage Role> Manage AD Groups> Search and select an AD group and modify and submit the changes for approval. Upon approval, group changes will be provisioned to AD and changes will be synced to the entitlement with same name as Role in AD application within Saviynt




10. How do we delete an AD group in Saviynt?


Go to ARS>Manage Role> Manage AD Groups> Search and select an AD group and change the status from Active to Inactive and submit the changes for approval. Upon approval, group will be deleted in AD and entitlement matching group name is Saviynt will be marked as Inactive


11. What’s new in 6.0?


Changes to AD group done directly in AD that is reconciled via access imports into entitlements will start to sync back to “Entitlement” type role of same name as entitlement


12. What’s new in future?


We will be rolling out multiple level of nesting in upcoming versions of Saviynt


AD Group management documentation link - https://saviynt.freshdesk.com/support/solutions/articles/43000547503-active-directory-ad-connector-g...

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
9 REPLIES 9

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 10 2020 at 18:59 UTC

Hi Aarthi,


This extremely insightful.


Couple of follow up question


1. Can we also include how create/updates can be done via api as well?
2. Secondly, how about the group owner updates? Do the end user have to pass DN of the owners?



This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 14 2020 at 13:45 UTC

Hello, What is the process to allow management of AD groups created outside SSM? We cannot see those groups listed on Manage AD groups page.
This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 15 2020 at 15:11 UTC

Hi Pallavi,


Greetings


Can you confirm if the AD groups created outside of SSM are reconciled back to SSM from the source?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 15 2020 at 15:14 UTC

Hello,


Those are reconciled as entitlements but what need to be done to be able to list those for AD Group Management?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 16 2020 at 00:14 UTC

Can you check if you have GroupManagement parameter set to TRUE in AD connector?

Also please check other pre-requisites for configuring AD group management here - https://saviynt.freshdesk.com/support/solutions/articles/43000547503-active-directory-ad-connector-g...

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 16 2020 at 00:32 UTC

Minesh - Below are answers to your question


1. Can we also include how create/updates can be done via api as well?


Please refer documentation below to create and update AD groups from API


https://documenter.getpostman.com/view/1797923/RWaLwo21?version=latest#ed8878a4-7d6c-45f7-9751-4ab92...


2. Secondly, how about the group owner updates? Do the end user have to pass DN of the owners?


We have to add DN of the user in any role owner user attribute and map it to AD managedBy property in provisioning json Our team is looking at options to get it from the role attribute itself in upcoming releases


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 16 2020 at 09:13 UTC

Yes AD group management is enabled. I can create AD Group, update group which are created using SSM but the ones which are creates outside SSM are not listed on manage AD groups page. Looks like some config need to be done for that.
This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 16 2020 at 09:22 UTC

Another requirement we have is to be able to add few more attributes on Create AD Groups form to be able to capture requester's input. Is it feasible? I could not find any relevant document for AD groups management on this. For example, we can add dynamic attributes for endpoints which shows up during request process so that requester can provide the information. Similar feature possible to implement for AD Groups?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 20 2020 at 22:01 UTC

Pallavi,


You will be able to manage the groups (Created outside SSM or imported in SSM by other means and related to AD) via Manage Roles In upcoming version 6.0


For your other requirement to have dynamic attributes in AD group management screens, this is not available out to the box yet. It can be done via customizations. Please add it to New Feature Request section - https://saviynt.freshdesk.com/a/forums/folders/43000495042

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.