We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

AD App onboarding Use cases - questions

suresh99
New Contributor
New Contributor
Hi Team,
 
Can you please help with below  questions - 
 
1. How to create User in different OU based on department , we have more than 1000 departments
for : User Department = A  then  OU=Sales
       User Department = B then  OU= Marketing
      etc
  
2.Upon De-provision, AD Account should be disabled immediately , but groups should be disabled after 30 days.
 
3. while creating  AD Account , 2 groups should be created along with that  ( not through Birth right ) ,
Is there some thing we can do at End point level ?
 
4. We have AD , CyberArk  End points , if User has AD Account only then , Cyberark should display for requesting , How to achieve achieve this ? 
 
5. How to read AD password once account created - need to send email .
 
6. How to Use Dynamic Attributes with sample use cases if possbile- exploring fresh desk not found much documentation? 
 
7. What is use cases for End point filter - can read from FD as used for logical application, is there much more uses ?
 
thanks,
suresh
11 REPLIES 11

rushikeshvartak
All-Star
All-Star

Q.1 - solution 1 -

You can write if else logic in logic in AD connection JSON. If your OU & DEPARTMENT name is same it will be easy. 

Solution 2 - Create Dynamic Attribute on request form & write logic in SQL query with case when then logic & use dynamic attribute in connection. 

Q2 - You can create 2 separate technical rule & achieve this use case. 

Q3 - AD Group Creation required certain parameters to be passed & its having own approval process you can't merge account & group creation together. 

However you can restrict user from creating account if user group is not created using access query or dynamic attribute. 

Q4 - Use endpoint access query 

Q5 - ${account_password} variable can ve used in email template 

Q6 Refer create account json here right side is dynamic attribute name

Left side is target application attribute name & right side is saviynt attribute

"cn": "${CN_DynamicAttribute}"

https://saviynt.freshdesk.com/support/solutions/articles/43000615764-active-directory-ad-connector-g...

Q7 - Endpoint filter is used when you want to split certain user group per application ( it will create endpoint as specified endpoints_filter) json. This is useful when you want different approval flow / certification / reports, etc application specific. 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

suresh99
New Contributor
New Contributor

Thank you Rushikesh for the answers.

Regarding Q#1 - if we have 960 Departments , so we have to put 960 if else, or case statements ? no other way to achieve this ?

 

 solution 1 -

You can write if else logic in logic in AD connection JSON. If your OU & DEPARTMENT name is same it will be easy. 

Solution 2 - Create Dynamic Attribute on request form & write logic in SQL query with case when then logic & use dynamic attribute in connection. 

Unfortunately you need to write logic for all department if your department name & OU name is different 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

suresh99
New Contributor
New Contributor

Thanks again.

KB99
New Contributor
New Contributor

Suresh We also have the similar type requirement like yours

1. How to create User in different OU based on department , we have more than 1000 departments
for : User Department = A then OU=Sales
User Department = B then OU= Marketing
etc
2.Upon De-provision, AD Account should be disabled immediately, but groups should be disabled after 30 days.
Could you please shed some light on how you have acheived this

#1 if department name & OU name is same then its easy else you need maintain logic in json or using dynamic attribute you can achieve

#2 This can be achieved using rules and analytics report using de provision account action


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Thank you, Rushikesh,

We do not want to have them hard coded is there any way we can do this as we might have the changes to the OU or Department want to see if this can be done by doing the lookup and update the value.

Suresh how did you implement this could you please share your experience.

 

Regards

 

There is no alternative 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

suresh99
New Contributor
New Contributor

we have implemented as rushi suggested, please find ours below.

Dataset to store all OUs vs Locations

User Update Rule -  Custom Action (Java Class) to Derive OU ( Based on above dataset and few other manipulations) and store into cp attribute 

Pass that cpxx into accountname rule

If solutions working as expected then accept the solution for future audiences 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

We utilized the dataset and mapped the OU in the preprocessor based on the location.