Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

ActiveDirectoryConnector: Rename of naming account attributes (cn, dn, name) for Service Accounts

Alex
Regular Contributor
Regular Contributor

Hi,
we have investigated the following issue. The account naming attributes (cn, dn, name) for service accounts are not updated on update. 
The assumption was, that this is handled via the ACCOUNTNAMERULE, but seems like it is not the case for service accounts. 
We were able to fix a substring of the dn to be update, which was realized with "moveUsertoOU", but this is not possible for cn, name, and the remaining part of the dn.

How is the rename of AD accounts handled via the AD Connector?

6 REPLIES 6

SB
Saviynt Employee
Saviynt Employee

You should be able to use ACCOUNTNAMERULE to modify when OU is moved. The parameter evaluates while creating an account and update of any attribute driving name rule and OU movements for an account.

You can specify the rules to generate the DN for the account for provisioning separated by ###. 

You can refer the below guide for the same (section - Specifying the Account Name Rule)

https://docs.saviyntcloud.com/bundle/AD-v2020x/page/Content/Configuring-the-Integration-for-Provisio...

 


Regards,
Sahil

Alex
Regular Contributor
Regular Contributor

Hi Sahil,
that was also our assumption, but in fact, this is not the case for service accounts. Find below the current account name rule: 
${'CN=FS_'+ locationcode +' '+ givenName +' (' + task.accountName + '),' + accountpath}

To add a little info on that, all the mentioned dynamic attributes in the account name rule can be updated on modify, besides (of course) the accountName.

Nevertheless the outcome in AD looks the following:

Alex_0-1678387659840.png

 



Can you please share the updaetaccountJSON?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Alex
Regular Contributor
Regular Contributor

Hi @Saathvik @SB ,
any additional information since? It looks like we are facing the same for the personal accounts. So currently the rename of the mentioned attributes is not working via the ACCOUNTNAMERULE.

Example use case:
Marriage - If an employee does change his name, the lastname should get updated in all target applications, which is the case in AD for displayname and surname. But additionally the lastname is also visible in the attribute name, dn and cn. Those attributes are not getting updated an reflect the old name.

Is there another way to rename the account besides the ACCOUNTNAMERULE or do we need to raise a bug ticket?

Version: 23.4

Alex
Regular Contributor
Regular Contributor

updateaccountJSON for one of the endpoints. We facing the same issues on others:

{
"moveUsertoOU": "${accountpath}",
"employeeID": "${task?.accountName}",
"givenName": "${givenName}",
"sn": "${'FS_' + locationcode}",
"displayName": "${'FS_' + locationcode+ ', ' + givenName+ ' (' +task?.accountName+ ')'}",
"company": "Company",
"department": "${department}",
"co": "${country}",
"l": "${city}",
"postalCode": "${postalCode}",
"streetAddress": "${street}",
"description": "Shared Account",
"global-ExtensionAttribute2": "${costCenter}",
"global-ExtensionAttribute12": "${locationnumber.substring(0,4)}",
"accountExpires": "0"
}

Setting the attributes name, cn is not possible and gives an ldap error. Already tried that out

Thanks!

Alex
Regular Contributor
Regular Contributor

Found a solution after a discussion via freshdesk tickets.

Seems like it is now possible to up the cn directly via the updateaccountjson.
So just include the cn in it and all the naming attribute will be renamed (name, dn, cn). 

Cheers