Click HERE to see how Saviynt Intelligence is transforming the industry. |
03/09/2023 01:33 AM
Hi,
we have investigated the following issue. The account naming attributes (cn, dn, name) for service accounts are not updated on update.
The assumption was, that this is handled via the ACCOUNTNAMERULE, but seems like it is not the case for service accounts.
We were able to fix a substring of the dn to be update, which was realized with "moveUsertoOU", but this is not possible for cn, name, and the remaining part of the dn.
How is the rename of AD accounts handled via the AD Connector?
Solved! Go to Solution.
03/09/2023 08:53 AM
You should be able to use ACCOUNTNAMERULE to modify when OU is moved. The parameter evaluates while creating an account and update of any attribute driving name rule and OU movements for an account.
You can specify the rules to generate the DN for the account for provisioning separated by ###.
You can refer the below guide for the same (section - Specifying the Account Name Rule)
03/09/2023 10:47 AM
Hi Sahil,
that was also our assumption, but in fact, this is not the case for service accounts. Find below the current account name rule:
${'CN=FS_'+ locationcode +' '+ givenName +' (' + task.accountName + '),' + accountpath}
To add a little info on that, all the mentioned dynamic attributes in the account name rule can be updated on modify, besides (of course) the accountName.
Nevertheless the outcome in AD looks the following:
03/09/2023 06:32 PM
Can you please share the updaetaccountJSON?
04/20/2023 01:14 AM - edited 04/21/2023 02:01 AM
Hi @Saathvik @SB ,
any additional information since? It looks like we are facing the same for the personal accounts. So currently the rename of the mentioned attributes is not working via the ACCOUNTNAMERULE.
Example use case:
Marriage - If an employee does change his name, the lastname should get updated in all target applications, which is the case in AD for displayname and surname. But additionally the lastname is also visible in the attribute name, dn and cn. Those attributes are not getting updated an reflect the old name.
Is there another way to rename the account besides the ACCOUNTNAMERULE or do we need to raise a bug ticket?
Version: 23.4
03/10/2023 01:45 AM
updateaccountJSON for one of the endpoints. We facing the same issues on others:
{
"moveUsertoOU": "${accountpath}",
"employeeID": "${task?.accountName}",
"givenName": "${givenName}",
"sn": "${'FS_' + locationcode}",
"displayName": "${'FS_' + locationcode+ ', ' + givenName+ ' (' +task?.accountName+ ')'}",
"company": "Company",
"department": "${department}",
"co": "${country}",
"l": "${city}",
"postalCode": "${postalCode}",
"streetAddress": "${street}",
"description": "Shared Account",
"global-ExtensionAttribute2": "${costCenter}",
"global-ExtensionAttribute12": "${locationnumber.substring(0,4)}",
"accountExpires": "0"
}
Setting the attributes name, cn is not possible and gives an ldap error. Already tried that out
Thanks!
06/06/2023 09:14 AM
Found a solution after a discussion via freshdesk tickets.
Seems like it is now possible to up the cn directly via the updateaccountjson.
So just include the cn in it and all the naming attribute will be renamed (name, dn, cn).
Cheers