Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Create AD groups in different OUs through Saviynt

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 9 2020 at 08:43 UTC

Hi All,


We have a requirement of creating AD groups in different OUs from Saviynt. So far, we have been able to create AD groups from Saviynt, but in only 1 OU. Is it possible to make the OU where we want to create the AD group dynamic?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
13 REPLIES 13

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 9 2020 at 13:38 UTC

Any updates on this topic? I can only see one OU where groups can be created, this is probably coming from groupSearchBaseDN from the AD connector. How to specify multiple locations to make it possible to manage multiple applications.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on December 16 2020 at 17:07 UTC

Any comments on this topic?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on September 28 2021 at 14:38 UTC

Hello,


we do have the same requirement in our organization. 

What is the plan for this from Saviynt's side?


Cheers

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 12 2021 at 23:12 UTC

Hello Rainer,


If you are using the API, then you can create requests in multiple OU's by passing the OU information in the application parameter.


From UI, OOB, it still supports just 1 OU that is configred in the Connector. 




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 18 2021 at 22:46 UTC

Hello All,


As per the release notes of v5.5 SP3.8, support for multiple OU's in the creation of AD Group from UI is available.


Release notes available here : https://saviynt.freshdesk.com/a/solutions/articles/43000630420


In the Connector  groupImportMapping, you need to add the advanceGroupFilter for the OU's as shown in the sample below.


{

"importGroupHierarchy": "true",

...

"groupObjectClass": "(objectclass=group)",

"advanceGroupFilter":{"memberOf":{

"OU=ABC,DC=saviyntlabs,DC=org": ["(&(objectClass=group))"],

"OU=XYZ,DC=saviyntlabs,DC=org": ["(&(objectClass=group))"]}},

"mapping":

"memberHash:member_char,entitlement_value:distinguishedName_char,

....

}



Once you configure that and open the Create AD Group Page, The Application Name is populated with the selection as shown below.




Also note that once the  advanceGroupFilter is configured in the connectors, the groups from that OU based on the filter will also get imported into Saviynt.






Regards,

Avinash Chhetri



This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 19 2021 at 08:04 UTC

Hi Avinash,


thank for the information. We saw this but didn't realize it also affects creation. Unfortunately we are not on that version yet. We will try it out as soon as we get an update.

This should probably be moved to the AD Connector Guide. Documentation of new features just in release notes is always a little hard to find.


Best regards

André

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 19 2021 at 20:31 UTC

Sure Andre, we will have this documented.




Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 22 2021 at 15:32 UTC

Hi Avinash,


is there a possibility to name the different OUs in the selection (So that it's not just "Groups 1", "Groups 2", etc...)? 


Best regards

André

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 22 2021 at 16:56 UTC

Hi Andre,


Currently I dont think there is a way OOB, perhaps customizing the gsp files.


Maybe an enhancement request can be opened to make it more user friendly.




Regards,

Avinash Chhetri 

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 23 2021 at 06:33 UTC

Hi Avinash,


regarding your picture from the UI, the application names Group1 and Group2, the red rectangle. Where are those application names defined? It's not clear for me where that information is defined, is it in the advancedGroupgFilter?


Thanks,

Mikko

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 23 2021 at 15:59 UTC

Yes Mikko, once you configure the  advanceGroupFilter, the OU listed under it shows up as Group 1, Group 2,...Group n,  under the application in the Create AD Group Page.



Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 24 2021 at 07:09 UTC

Thanks for the answer, maybe I should have understood that André actually had the same question. With the current configuration options, this is not really usable for any end users if the OU's cannot be labeled. Can you raise enhancement request for this, or should we raise it in the "Feature Requests"?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on November 24 2021 at 17:37 UTC

Hi Mikko,


Please raise an enhancement request for this feature to be made more user friendly.



Regards,

Avinash Chhetri

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.