Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

How to get AD Security group members count?

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 15 2020 at 12:26 UTC

Hi,


We have a requirement for O365-Dynamic group license assignment for which we are adding the Users at a on-premise AD group which would then be synced to Azure AD for dynamic license assignment. This process would be part of Birth right access. We would have 2 different groups, one for E3 license and another for E1.


Below use cases where we need help,

  1. Case 1: Before we add the user to E3 group we need to know the members count as we have limited License and we need to assign based on priority. If E3 has reached its upper limit E1 needs to be assigned.
  2. Case 2: Once E3 is available on account of user deprovisioning a E1 license person needs to get that E3. This assignment would be based on joindate.

Bottom line: To perform above activities we need to know how can we get the AD group members count in Saviynt.
Secondly, any better way to manage above 1 & 2 use cases. Appreciate your inputs.
Regards,Chandan

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.
11 REPLIES 11

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 15 2020 at 12:34 UTC

fully automated difficult. could add a control that is checked periodically. this is typical solution's unless it can be automated in the end point itself. Some endpoints self count how many are logged with said license.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 15 2020 at 12:43 UTC

Hi Chandan,


Greetings!!

We do not have any out of box/configurable feature to count members of an active directory group (security/distribution) and validate logic on them accordingly during Add Access/Remove Access.


Probable workarounds:(Optional Thoughts: Please ignore this, if you have a better option here.)

1) You could have a powershell script to count the members at AD for each group and have it stored in some attribute of a group.

2) you could import that count in SSM and logically validate your conditions,to show /hide the groups to be requested from ARS.


Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 15 2020 at 13:20 UTC

Thanks David and Anand.


Let me try out your suggestions. Will comeback with updates.


Rg,

Chandan

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 16 2020 at 09:16 UTC

Hi Anand,


Lets assume that we have got the count and we have stored in one attribute and have imported into SSM.

Now how do we apply a condition to check the count the count in SSM? Any steps?

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 16 2020 at 09:18 UTC

We have 2 use cases where this needs to be address.


  1. During birth right provisioning
  2. During ARS

Any further help appreciated.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 22 2020 at 04:58 UTC

Hey Chandra,


I have added your queries regarding ModifyuserdataJSON in below thread:

https://saviynt.freshdesk.com/a/forums/topics/43000524015


Please follow the same for further updates

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 22 2020 at 05:27 UTC

HI Chandra,


Regarding you last question i.e.

Lets assume that we have got the count and we have stored in one attribute and have imported into SSM.

Now how do we apply a condition to check the count the count in SSM? Any steps?


This could be handled from ARS based on a configuration at EntitlementType level. That is,

Config for Requestable Entitlement in ARS


If you store count of members in your entitlement_values table then you could restrict the request via ARS once count is greater than a defined threshold value.


Coming to control this via BirthRight Roles, That is not possible at present.


Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 27 2020 at 13:09 UTC

Thanks Anand.


Where can I find Config for Requestable Entitlement in ARS?


Also any reference how to use it.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 27 2020 at 13:19 UTC

Hey Chandan,


You could find this Config at entitlementType Page.

Select your Endpoint > Go to Entitlement Type Tab > On EntitlementType Page (Select View detail symbol in front of your entitlement type) > Config for Requestable Entitlement in ARS


You could also refer entitlement type section details in Admin module Guide.


Thanks & Regards,

Anand Kumar Jha

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on April 27 2020 at 13:23 UTC

Thank you Anand. Appreciate your help.


Will refer the same and let you know in case of any additional help required.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.

Community_User
Saviynt Employee
Saviynt Employee
Originally posted on May 4 2020 at 07:45 UTC

Hi Anand,


Using above Config for Requestable Entitlement in ARS I was not able to come up with a logic.


The requirement is, in AD we have more than 1 Security Groups and among these there are few of them which should be displayed under ARS if and only if their member count is less than certain digit. For rest of the Groups there is no such logic and they should be displayed as is.


For Eg, Group_1 should be displayed under ARS only if it's member count is less than 10. The moment the count touches 10 then it should not be available for any ARS request.


Please let me know any way to achieve this in Saviynt.

This message was previously posted on Saviynt's legacy forum by a community user and has been moved over to this forum for continued exposure.