Click HERE to see how Saviynt Intelligence is transforming the industry. |
04/12/2022 01:16 PM
Hi All,
We have a requirement of creating AD groups in different OUs from Saviynt. So far, we have been able to create AD groups from Saviynt, but in only 1 OU. Is it possible to make the OU where we want to create the AD group dynamic?
Solved! Go to Solution.
04/12/2022 02:49 PM
Any updates on this topic? I can only see one OU where groups can be created, this is probably coming from groupSearchBaseDN from the AD connector. How to specify multiple locations to make it possible to manage multiple applications.
04/12/2022 02:49 PM
Any comments on this topic?
04/12/2022 02:49 PM
Hello,
we do have the same requirement in our organization.
What is the plan for this from Saviynt's side?
Cheers
04/12/2022 02:49 PM
Hello Rainer,
If you are using the API, then you can create requests in multiple OU's by passing the OU information in the application parameter.
From UI, OOB, it still supports just 1 OU that is configred in the Connector.
Regards,
Avinash Chhetri
04/12/2022 02:49 PM
Hello All,
As per the release notes of v5.5 SP3.8, support for multiple OU's in the creation of AD Group from UI is available.
Release notes available here : https://saviynt.freshdesk.com/a/solutions/articles/43000630420
In the Connector groupImportMapping, you need to add the advanceGroupFilter for the OU's as shown in the sample below.
{
"importGroupHierarchy": "true",
...
"groupObjectClass": "(objectclass=group)",
"advanceGroupFilter":{"memberOf":{
"OU=ABC,DC=saviyntlabs,DC=org": ["(&(objectClass=group))"],
"OU=XYZ,DC=saviyntlabs,DC=org": ["(&(objectClass=group))"]}},
"mapping":
"memberHash:member_char,entitlement_value:distinguishedName_char,
....
}
Once you configure that and open the Create AD Group Page, The Application Name is populated with the selection as shown below.
Also note that once the advanceGroupFilter is configured in the connectors, the groups from that OU based on the filter will also get imported into Saviynt.
Regards,
Avinash Chhetri
04/12/2022 02:49 PM
Hi Avinash,
thank for the information. We saw this but didn't realize it also affects creation. Unfortunately we are not on that version yet. We will try it out as soon as we get an update.
This should probably be moved to the AD Connector Guide. Documentation of new features just in release notes is always a little hard to find.
Best regards
André
04/12/2022 02:49 PM
Sure Andre, we will have this documented.
Regards,
Avinash Chhetri
04/12/2022 02:49 PM
Hi Avinash,
is there a possibility to name the different OUs in the selection (So that it's not just "Groups 1", "Groups 2", etc...)?
Best regards
André
04/12/2022 02:49 PM
Hi Andre,
Currently I dont think there is a way OOB, perhaps customizing the gsp files.
Maybe an enhancement request can be opened to make it more user friendly.
Regards,
Avinash Chhetri
04/12/2022 02:49 PM
Hi Avinash,
regarding your picture from the UI, the application names Group1 and Group2, the red rectangle. Where are those application names defined? It's not clear for me where that information is defined, is it in the advancedGroupgFilter?
Thanks,
Mikko
04/12/2022 02:49 PM
Yes Mikko, once you configure the advanceGroupFilter, the OU listed under it shows up as Group 1, Group 2,...Group n, under the application in the Create AD Group Page.
Regards,
Avinash Chhetri
04/12/2022 02:49 PM
Thanks for the answer, maybe I should have understood that André actually had the same question. With the current configuration options, this is not really usable for any end users if the OU's cannot be labeled. Can you raise enhancement request for this, or should we raise it in the "Feature Requests"?
04/12/2022 02:49 PM
Hi Mikko,
Please raise an enhancement request for this feature to be made more user friendly.
Regards,
Avinash Chhetri