We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

AD Account // Connector // UPDATEUSERJSON -- SSM User object gets not updated

Volker
New Contributor III
New Contributor III

Hi there, 

need some information about the correct syntax to be used in "UPDATEUSERJSON" for AD connector.

We are using the following information in the connector to set the Names according to our needs, but it does not work fully. 

The user attributes, mapped in the connectors field USER_ATTRIBUTE , are mapped correctly into the SSM user object. Unfortunately the updates, calculated trough the code in field UPDATEUSERJSON, are not stored in the SSM user object. The import job finished without showing any issue.

Thank you very much for all your comments

USER_ATTRIBUTE

 

 

[
    USERNAME::name#String,
    CUSTOMPROPERTY23::userAccountControl#String,
    CUSTOMPROPERTY27::pwdLastSet#millisec,
    PHONENUMBER::telephoneNumber#String,
    CUSTOMPROPERTY31::msExchExtensionAttribute36#String,
    CUSTOMPROPERTY47::msExchExtensionAttribute44#String
]

 

 

UPDATEUSERJSON

 

 

{
    "ADDITIONALTABLES": {
        "USERS": "SELECT USERNAME,SYSTEMUSERNAME,EMPLOYEECLASS,USERKEY,FIRSTNAME,LASTNAME,CUSTOMPROPERTY8,CUSTOMPROPERTY20,CUSTOMPROPERTY23,CUSTOMPROPERTY13,CUSTOMPROPERTY14,CUSTOMPROPERTY21,CUSTOMPROPERTY26,CUSTOMPROPERTY5,CUSTOMPROPERTY28,CUSTOMPROPERTY29,CUSTOMPROPERTY30,CUSTOMPROPERTY31,CUSTOMPROPERTY47,CUSTOMPROPERTY50,CUSTOMPROPERTY51 FROM USERS"
    },
    "COMPUTEDCOLUMNS": [
        "FIRSTNAME",
        "LASTNAME",
        "DISPLAYNAME"
    ],
    "PREPROCESSQUERIES": [
        "UPDATE NEWUSERDATA SET FIRSTNAME = (CASE WHEN CUSTOMPROPERTY47 IS NOT NULL AND CUSTOMPROPERTY47 != '' THEN CUSTOMPROPERTY47 WHEN ( CUSTOMPROPERTY47 IS NULL OR CUSTOMPROPERTY47 = '' ) AND  FIRSTNAME IS NOT NULL AND FIRSTNAME != '' THEN FIRSTNAME ELSE '' END )",
        "UPDATE NEWUSERDATA SET LASTNAME = (CASE WHEN CUSTOMPROPERTY31 IS NOT NULL AND CUSTOMPROPERTY31 != '' THEN CUSTOMPROPERTY31 WHEN ( CUSTOMPROPERTY31 IS NULL OR CUSTOMPROPERTY31 = '' ) AND LEFT(customproperty8, 2) = 'NL' AND CUSTOMPROPERTY5  IS NOT NULL AND CUSTOMPROPERTY5  != '' AND CUSTOMPROPERTY51 IS NOT NULL AND CUSTOMPROPERTY51 != '' THEN CONCAT( CUSTOMPROPERTY51, ' ', CUSTOMPROPERTY5) WHEN ( CUSTOMPROPERTY31 IS NULL OR CUSTOMPROPERTY31 = '' ) AND left(customproperty8, 2) = 'NL' AND CUSTOMPROPERTY5  IS NOT NULL AND CUSTOMPROPERTY5  != '' AND ( CUSTOMPROPERTY51 IS NULL OR CUSTOMPROPERTY51 = '' ) THEN CUSTOMPROPERTY5 WHEN ( CUSTOMPROPERTY31 IS NULL OR CUSTOMPROPERTY31 = '' ) AND LASTNAME IS NOT NULL AND LASTNAME != '' AND LEFT(customproperty8, 2) = 'NL' AND ( CUSTOMPROPERTY5  IS NULL OR CUSTOMPROPERTY5 = '' ) AND CUSTOMPROPERTY50 IS NOT NULL AND CUSTOMPROPERTY50 != '' THEN CONCAT(CUSTOMPROPERTY50, ' ', LASTNAME) WHEN ( CUSTOMPROPERTY31 IS NULL OR CUSTOMPROPERTY31 = '' ) AND LASTNAME IS NOT NULL AND LASTNAME != '' AND LEFT(customproperty8, 2) = 'NL' AND ( CUSTOMPROPERTY5  IS NULL OR CUSTOMPROPERTY5  = '' ) AND ( CUSTOMPROPERTY50 IS NULL OR CUSTOMPROPERTY50 = '' ) THEN LASTNAME WHEN ( CUSTOMPROPERTY31 IS NULL OR CUSTOMPROPERTY31 = '' ) AND LASTNAME IS NOT NULL AND LASTNAME != '' AND LEFT(customproperty8, 2) != 'NL' THEN LASTNAME END)",
        "UPDATE NEWUSERDATA SET DISPLAYNAME = (CASE WHEN TITLE IS NOT NULL AND TITLE != '' AND EMPLOYEECLASS  = 'EXTERNAL' THEN CONCAT (TITLE, ' ', LASTNAME, ', ', FIRSTNAME, ' (external)') WHEN TITLE IS NOT NULL AND TITLE != '' AND EMPLOYEECLASS != 'EXTERNAL' THEN CONCAT(TITLE, ' ', LASTNAME, ', ', FIRSTNAME ) WHEN EMPLOYEECLASS  = 'EXTERNAL' THEN CONCAT(LASTNAME, ', ', FIRSTNAME, ' (external)') ELSE CONCAT(LASTNAME, ', ', FIRSTNAME) END)"
    ]
}        

 

Can someone please confirm / disconfirm that my UPDATEUSERJSON is totally wrong? I had it just copied from the already working SAP connection.

Are there any more detailed documents about the UPDATEUSERJSON JSON syntax, which stanzas are supported and what are the purpose of each?

Additionally I would kindly ask, if my understanding of the Updating a User  sample JSON in Documentation Portal Link is correct? 

  • the UPDATEUSERJSON does not really update the SSM user object directly, instead it updates / enrich the data wich are read in from AD before they are stored in a SSM AD account object.
  • The UPDATEUSERJSON is executed before the USER_ATTRIBUTE JSON.
  • If I need to have updates on SSM user object, like from the SAP connection, which is using the UPDATEUSERJSON field, than I have to manipulate the USER_ATTRIBUTE field with the correct groovy code for the particular mapped attribute value. which will be potentially be updated by the UPDATEUSERJSON before evaluated in USER_ATTRIBUTE mapping.
  • To being able to update the user (which is a User object in terms of AD(?)) the UPDATEUSERJSON must have the objectClasses attribute filled with value "user"?

Thanks and best regards

[This post has been edited by a Moderator to merge two posts.]

7 REPLIES 7

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Volker,

Are you referring to either the import or provisioning process?
If you're addressing the import, you have the option to bring in user data and utilize the inline processor to modify the data. USE the MODIFYUSERDATAJSON parameter to specify the use of the inline processor for transforming data during user import.

Alternatively, if you are discussing provisioning, could you provide further details about your specific use case?

You can Ref: https://forums.saviynt.com/t5/community-knowledge-base/how-to-restrict-modifyuserdatajson-of-userimp... 

https://forums.saviynt.com/t5/identity-governance/modifyuserdatajson-preprocessqueries-termdate/m-p/... 

Thanks.

Volker
New Contributor III
New Contributor III

Hello @sudeshjaiswal,

thanks for digging into my question.

I am talking about reconciliation of an AD target system.

I have already successfully configured the mapping of AD Account attributes into the SSM user object and it works like expected.

Here is the used value of connector configuration field USER_ATTRIBUTE:

[
  USERNAME::name#String,
  CUSTOMPROPERTY23::userAccountControl#String,
  CUSTOMPROPERTY27::pwdLastSet#millisec,
  PHONENUMBER::telephoneNumber#String,
  CUSTOMPROPERTY31::msExchExtensionAttribute36#String,
  CUSTOMPROPERTY47::msExchExtensionAttribute44#String
]

Now I would like to use the new Values, for example in SSM.USERS.customproperty31, during this reconciliation to recalculate the existing SSM user objects DISPLAYNAME.

Unfortunately, it does not behave as expected, no updates are coming to the user object. On the other hand, no error is displayed during import.

I am asking me if the following flow meets the reality and what I am personally doing wrong in the UPDATEUSERJSON, as no USER update happens. 

  1. Connector read in existing data from AD into a temporary table.
  2. SSM processes the mapping from USER_ATTRIBUTE configuration using the temp data from step 1.
  3. SSM processes the configuration from UPDATEUSERJSON and using the temp data from step 2.
  4. SSM finally updates the corresponding SSM user object.

Thanks for your support.

Regards

Volker

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @Volker,

The Below case is can be achieve when you use the inline processor MODIFYUSERDATAJSON not in the UPDATEUSERJSON

  1. Connector read in existing data from AD into a temporary table.
  2. SSM processes the mapping from USER_ATTRIBUTE configuration using the temp data from step 1.
  3. SSM processes the configuration from UPDATEUSERJSON and using the temp data from step 2.
  4. SSM finally updates the corresponding SSM user object.

    UPDATEUSERJSON is only used for existing user, if you want to update any attribute of the existing user,
    MODIFYUSERDATAJSON is used when data is being imported from the target.

    Thanks.

Volker
New Contributor III
New Contributor III

Thank you for your reply.

I am already trying to use the MODIFYUSERDATAJSON. Just as I already do in a similar way in the SAP connection. It works perfectly there too.

Did I understand you correctly that the MODIFYUSERDATAJSON in the AD connection is meant to calculate updates that are to be propagated to the SSM USER object at the end of the import process?

Unfortunately, I am not able to get the MODIFYUSERDATAJSON configuration to work correctly in the AD connector configuration. It just seems to be ignored and no error occurs.

Can you please provide a short example of a real working value for AD Connector MODIFYUSERDATAJSON?

Regards
Volker

Refer https://forums.saviynt.com/t5/community-knowledge-base/attribute-precedence-for-user-imports/ta-p/10...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thanks for the link and the clear statement, that it should work, this is like I would expect it.

In fact, I have done exactly those described scripts for HR connection and a slightly different logic on AD connection. Both use the same syntax, but slightly different in logic and involved attributes. 

Now, for HR connection it works as expected bu for the AD connection its just doing nothing visible on the SSM.user object.

 

Any further idea what I could have done wrong? Or is it now the case for opening an support ticket for?

Regards
Volker

check logs , Support team will not help on configuration


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.