Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Assign new provisioned AD accounts to groups in Active Directory

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 1 2021 at 21:39 UTC

Hello,


Is it possible to assign existing Active Directory groups to new AD accounts provisioned through Saviynt? If so, is it possible to assign these AD groups based on what the user's employee type is in Saviynt? 


Thanks,

Aundre

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
17 REPLIES 17

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 2 2021 at 13:26 UTC

Hi Aundre,


Could you please elaborate this in brief.


Regards

Nikita 

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 2 2021 at 13:29 UTC

Hi Nikita,


Yes, I am trying to assign users to active directory groups. Flow should be like below.


User is created in Saviynt -> AD account creation task runs-> in Active directory they are assigned a security group based on what their employee type is in Saviynt.


Thanks,

Aundre

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 6 2021 at 18:14 UTC

Can anyone provide some guidance here?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 7 2021 at 00:50 UTC

Aundre,


From what I can understand, This looks like an issue that can be solved using Technical Rules.




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 7 2021 at 13:05 UTC

Hi Avinash,


Technical Rules wouldn't apply here. This is something that would need to be applied at Active Directory account creation time, assigning an active directory group to a user. It must be through the connection, but the question is how do you that? The documentation doesn't provide any guidance.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 7 2021 at 16:31 UTC

Hi Aundre,


You'd said  "User is created in Saviynt -> AD account creation task runs"  which made me think/point towards a Technical rule.


Will the AD account be raised as a request instead ?




Rgards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 7 2021 at 16:34 UTC

The issue isn't with creating an AD account, that works fine. I'm looking for guidance on assigning an existing active directory group at the time the account is created. Can this be done? If it can is it possible to assign groups based on the Employee type?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 8 2021 at 18:50 UTC

Hi Aundre,


The reason I'm asking whether it is a request or not is because (creation of) request and tasks are two different processes in Saviynt.

Creating an AD account is possible, both as a request or a task, and I am not sure which one you are using.


Now, getting back to your question.


1) Through a Technical Rule it is possible to assign an entitlement based on a user attribute.

2) Through a Request, this is not possible. You can use access queries filter to restrict what to show/hide as entitlements at the time of request but not auto select any entitlements.


There is a config at the endpoint level, "Entitlements With New Account" that will allow you to assign an entitlement with new accounts automatically, again that would be for all users and not based on any specific user attributes.





Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 8 2021 at 19:24 UTC

We are creating AD accounts through tasks. So I see that entitlements can be imported groups. So you are saying it would be possible to use a technical rule to assign one of these entitlements to a user based on a user attribute, in our case we want to use Employee Type, contractors get certain entitlements and regular employees would get another.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 8 2021 at 23:06 UTC

Hi Aundre,


Can you elaborate the process when you say  "We are creating AD accounts through tasks" ?




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 9 2021 at 13:11 UTC

We import users via Workday. We have a technical rule that detects these imported users and then creates various tasks to create an ad, exchange, and zoom account. We then run a job to complete these tasks.


Can you confirm if we can create a technical rule to assign an entitlement to the user?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 9 2021 at 15:13 UTC

Yes Aundre, Technical Rules can be used to assign entitlements.


The "Condition" section can be used to configure the user attribute conditions and the "Action" can be an entitlement addition.

Please check the documentation link for Technical Rules.


https://saviynt.freshdesk.com/a/solutions/articles/43000431680




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 10 2021 at 17:14 UTC

Hi Avinash,


The documentation mentions you can select Endpoint or EndpointName::EntitlementType however neither of these options are available when I search for them. Any ideas?

image


image


Thanks,

Aundre

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 10 2021 at 17:28 UTC

Aundre,


The endpoint is the name of the endpoint, like Active Directory.


Here's a sample of "How To" create an account and assign entitlements in a technical rule.






Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 10 2021 at 19:00 UTC

So the only option I have is Active Directory::Groups and not member of.


image

If I select groups and search for the entitlement value, it turns up no results.


image




This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 10 2021 at 19:11 UTC

Aundre,


You are seeing Groups because the entitlementType you have for AD, has a display name as Groups, the actual entitlementType for AD is still memberof.


You can view this from Endpoints > Entitlement Types and clicking on the icon highlighted.



Do you have any entitlements reconciled as part of this endpoint and are they active ? If Yes, then these should show up as shown.





Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 10 2021 at 19:33 UTC

Thanks Avinash, the entitlement had no status. After updating this to Active it is now working. You can close this.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.