Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AD Group Management : groupType value and null handling

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on June 21 2020 at 14:08 UTC

Hello All,


We are provisioning groupType values based on the combination of the Group Scope and Group Category. However these two fields are not mandatory on create AD groups form. In case user does not select the Group Category and Group Scope then AD group provisioning fails with AttributeValueConversion exception because SSM try to provision groupTYpe value as shown below. We tried using the flag where we can ignore the null or blank value during provisioning but it does not work. Even if this flag works we may not be able to use it considering the cases where blank values need to provisioned to AD.


"groupType": "null",


JSON for groupType:


"groupType": "${if(role?.customproperty21 != null && role?.customproperty22 != null){role?.customproperty21 == 'Security' && role?.customproperty22 == 'Global'?'-2147483646' : role?.customproperty21=='Security'&&role?.customproperty22=='Universal'?'-2147483640' : role?.customproperty21== 'Security'&&role?.customproperty22=='Domain Local' ? '-2147483644':role?.customproperty21=='Distribution'&&role?.customproperty22=='Global' ? '2':role?.customproperty21== 'Distribution'&&role?.customproperty22=='Universal'?'8':role?.customproperty21=='Distribution'&& role?.customproperty22=='Domain Local'?'4':''}}",


Any help to resolve this issue?


Thanks,

Pallavi

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
2 REPLIES 2

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on June 22 2020 at 04:48 UTC

Hi Pallavi,


Greetings!!


groupType is a mandatory attribute for a group object at AD end.

In case, you want to enforce user to select Group scope and Group Category, Please make necessary changes at GSP end.

Otherwise, you could also enforce default group creation with groupType as Security-Global ( -2147483646 : which is also a standard at active directory end - Could be seen from ADUC (Active directory users and computers console of group creation)). In order to achieve this you could evaluate the last else condition to -2147483646 which is null at present.


"groupType": "${if(role?.customproperty21 != null && role?.customproperty22 != null){role?.customproperty21 == 'Security' && role?.customproperty22 == 'Global'?'-2147483646' : role?.customproperty21=='Security'&&role?.customproperty22=='Universal'?'-2147483640' : role?.customproperty21== 'Security'&&role?.customproperty22=='Domain Local' ? '-2147483644':role?.customproperty21=='Distribution'&&role?.customproperty22=='Global' ? '2':role?.customproperty21== 'Distribution'&&role?.customproperty22=='Universal'?'8':role?.customproperty21=='Distribution'&& role?.customproperty22=='Domain Local'?'4':'-2147483646'}}"


Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on June 22 2020 at 07:33 UTC

Thanks Anand for your reply. I am doing it in the same way, have added default value in case user did not select the input. I wanted to check how other product users are handling this case hence raised query on forum. Thanks I got my answer.



Thanks,

Pallavi

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.