Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Can we rename existing AD Group from Saviynt?

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 15 2020 at 17:17 UTC

Hello Team,


Using Saviynt’s AD Group Management module, can we rename existing AD Group? Is it possible to modify existing AD Group’s OU?

Also, in case AD Group’s DN(distinguishedName) is modified outside Saviynt due to change in CN or shifted to other OU and if we reconcile such AD Group back to Saviynt then in that case can we modify existing AD Group in Saviynt to reflect changes? We observed that as part of reconciliation it treated as new group and created completely new AD Group in Saviynt. Can Saviynt treat it as modification scenario based on objectGUID?

Also, what is significance of “Environment” attribute while creating Role->AD Group?


Regards,

Ksheetij

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
4 REPLIES 4

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 16 2020 at 05:02 UTC

Hi Ksheetij,


Greetings!!


Please find my answers inline:

Using Saviynt’s AD Group Management module, can we rename existing AD Group? Is it possible to modify existing AD Group’s OU?


Anand : Rename and movement feature of group is not available for AD groups as of now. But it is a part of our roadmap plan.

Also, in case AD Group’s DN(distinguishedName) is modified outside Saviynt due to change in CN or shifted to other OU and if we reconcile such AD Group back to Saviynt then in that case can we modify existing AD Group in Saviynt to reflect changes?


Anand : We are treating group object uniqueness based on ObjectGUID. So, if any changes has been made on that object directly at AD (could be rename/move to a certain OU type of operation). You should be able to bring that change for that existing object in SSM. In V5.5SP1 onwards, you could witness this feature.


We observed that as part of reconciliation it treated as new group and created completely new AD Group in Saviynt. Can Saviynt treat it as modification scenario based on objectGUID?


Anand : Please confirm the version. In case, you witness this in the latest version i.e. V5.5SP2+. Please feel free to raise a bug for this.


Also, what is significance of “Environment” attribute while creating Role->AD Group?


Anand : Environment is a non-mandatory attribute during AD Group creation. It is an extra set of data which most of the customers manage to determine type of environment (prod, Non-Prod, QA, Dev and could have customized values as well as per your requirement) for which they are creating this group. These values stays in SSM and not propagated to AD. You could store any other required value for your usage (can customize the GSP and add your values here) and use them as a filter during Analytics or any reporting.


Thanks & Regards,

Anand Kumar Jha


This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 16 2020 at 06:13 UTC

Thanks Anand for your inputs.


Version: Saviynt v5.5SP2


After doing reconciliation, it marked existing AD Group entitlement "CN=Test Group06,OU=groups,DC=testoim,DC=com" as Inactive and created new entitlement "CN=Test Group06modified,OU=groups,DC=testoim,DC=com" object having status as Active.

image


Same with role objects, new role object created -

image



Regards,

Ksheetij

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 16 2020 at 09:52 UTC

Hi Ksheetij,


Could you please confirm if the RECONCILIATION_FIELD is ObjectGUID for you in groupImportMapping?

if yes, This should not be the case.

Please get in touch with your Saviynt counterpart and raise a bug for this issue.


Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 16 2020 at 18:53 UTC

Thanks Anand. After configuring RECONCILATION_FIELD with ObjectGUID it worked.


Regards,
Ksheetij

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.