Saviynt Forums

Alex · ‎03/09/2023

Hi,
we have investigated the following issue. The account naming attributes (cn, dn, name) for service accounts are not updated on update.
The assumption was, that this is handled via the ACCOUNTNAMERULE, but seems like it is not the case for service accounts.
We were able to fix a substring of the dn to be update, which was realized with "moveUsertoOU", but this is not possible for cn, name, and the remaining part of the dn.

How is the rename of AD accounts handled via the AD Connector?

SB · ‎03/09/2023

You should be able to use ACCOUNTNAMERULE to modify when OU is moved. The parameter evaluates while creating an account and update of any attribute driving name rule and OU movements for an account.

You can specify the rules to generate the DN for the account for provisioning separated by ###.

You can refer the below guide for the same (section - Specifying the Account Name Rule)

https://docs.saviyntcloud.com/bundle/AD-v2020x/page/Content/Configuring-the-Integration-for-Provisio...

Regards,
Sahil

Alex · ‎03/09/2023

Hi Sahil,
that was also our assumption, but in fact, this is not the case for service accounts. Find below the current account name rule:
${'CN=FS_'+ locationcode +' '+ givenName +' (' + task.accountName + '),' + accountpath}

To add a little info on that, all the mentioned dynamic attributes in the account name rule can be updated on modify, besides (of course) the accountName.

Nevertheless the outcome in AD looks the following:

sk · ‎03/09/2023

Can you please share the updaetaccountJSON?

Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Alex · ‎04/20/2023

Hi @sk @SB ,
any additional information since? It looks like we are facing the same for the personal accounts. So currently the rename of the mentioned attributes is not working via the ACCOUNTNAMERULE.

Example use case:
Marriage - If an employee does change his name, the lastname should get updated in all target applications, which is the case in AD for displayname and surname. But additionally the lastname is also visible in the attribute name, dn and cn. Those attributes are not getting updated an reflect the old name.

Is there another way to rename the account besides the ACCOUNTNAMERULE or do we need to raise a bug ticket?

Version: 23.4

Alex · ‎03/10/2023

updateaccountJSON for one of the endpoints. We facing the same issues on others:

{
"moveUsertoOU": "${accountpath}",
"employeeID": "${task?.accountName}",
"givenName": "${givenName}",
"sn": "${'FS_' + locationcode}",
"displayName": "${'FS_' + locationcode+ ', ' + givenName+ ' (' +task?.accountName+ ')'}",
"company": "Company",
"department": "${department}",
"co": "${country}",
"l": "${city}",
"postalCode": "${postalCode}",
"streetAddress": "${street}",
"description": "Shared Account",
"global-ExtensionAttribute2": "${costCenter}",
"global-ExtensionAttribute12": "${locationnumber.substring(0,4)}",
"accountExpires": "0"
}

Setting the attributes name, cn is not possible and gives an ldap error. Already tried that out

Thanks!

Alex · ‎06/06/2023

Found a solution after a discussion via freshdesk tickets.

Seems like it is now possible to up the cn directly via the updateaccountjson.
So just include the cn in it and all the naming attribute will be renamed (name, dn, cn).

Cheers

Saviynt Forums

ActiveDirectoryConnector: Rename of naming account attributes (cn, dn, name) for Service Accounts