Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:01 PM
Hello Team,
Using Saviynt’s AD Group Management module, can we rename existing AD Group? Is it possible to modify existing AD Group’s OU?
Also, in case AD Group’s DN(distinguishedName) is modified outside Saviynt due to change in CN or shifted to other OU and if we reconcile such AD Group back to Saviynt then in that case can we modify existing AD Group in Saviynt to reflect changes? We observed that as part of reconciliation it treated as new group and created completely new AD Group in Saviynt. Can Saviynt treat it as modification scenario based on objectGUID?
Also, what is significance of “Environment” attribute while creating Role->AD Group?
Regards,
Ksheetij
Solved! Go to Solution.
04/12/2022 02:10 PM
Hi Ksheetij,
Greetings!!
Please find my answers inline:
Using Saviynt’s AD Group Management module, can we rename existing AD Group? Is it possible to modify existing AD Group’s OU?
Anand : Rename and movement feature of group is not available for AD groups as of now. But it is a part of our roadmap plan.
Also, in case AD Group’s DN(distinguishedName) is modified outside Saviynt due to change in CN or shifted to other OU and if we reconcile such AD Group back to Saviynt then in that case can we modify existing AD Group in Saviynt to reflect changes?
Anand : We are treating group object uniqueness based on ObjectGUID. So, if any changes has been made on that object directly at AD (could be rename/move to a certain OU type of operation). You should be able to bring that change for that existing object in SSM. In V5.5SP1 onwards, you could witness this feature.
We observed that as part of reconciliation it treated as new group and created completely new AD Group in Saviynt. Can Saviynt treat it as modification scenario based on objectGUID?
Anand : Please confirm the version. In case, you witness this in the latest version i.e. V5.5SP2+. Please feel free to raise a bug for this.
Also, what is significance of “Environment” attribute while creating Role->AD Group?
Anand : Environment is a non-mandatory attribute during AD Group creation. It is an extra set of data which most of the customers manage to determine type of environment (prod, Non-Prod, QA, Dev and could have customized values as well as per your requirement) for which they are creating this group. These values stays in SSM and not propagated to AD. You could store any other required value for your usage (can customize the GSP and add your values here) and use them as a filter during Analytics or any reporting.
Thanks & Regards,
Anand Kumar Jha
04/12/2022 02:10 PM
Thanks Anand for your inputs.
Version: Saviynt v5.5SP2
After doing reconciliation, it marked existing AD Group entitlement "CN=Test Group06,OU=groups,DC=testoim,DC=com" as Inactive and created new entitlement "CN=Test Group06modified,OU=groups,DC=testoim,DC=com" object having status as Active.
Same with role objects, new role object created -
Regards,
Ksheetij
04/12/2022 02:10 PM
Hi Ksheetij,
Could you please confirm if the RECONCILIATION_FIELD is ObjectGUID for you in groupImportMapping?
if yes, This should not be the case.
Please get in touch with your Saviynt counterpart and raise a bug for this issue.
Thanks & Regards,
Anand Kumar Jha
04/12/2022 02:10 PM
Thanks Anand. After configuring RECONCILATION_FIELD with ObjectGUID it worked.
Regards,
Ksheetij