Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

AD ENDPOINTFILTER: how to exclude groups

Olesia
Regular Contributor
Regular Contributor

Hi,

is there a way to exclude some groups from the endpoint filter:

For example, we use a wildcard in the endpoint filter. All the groups starting with TST-Group1 (TST-Group1 , TST-Group11 , TST-Group12 ...) should go to the Endpoint1.

But here is an exclusion: all the groups starting CN=TST-Group17 should go to the Endpoint2

The endpoint filter should be smth like this, but this doesn't work:

{
"Endpoint1":[
{
"memberOf":[
"CN=TST-Group1%OU=Groups,OU=OU,DC=com%",
!"CN=TST-Group17%OU=Groups,OU=OU,DC=com%"
]
}
],
"Endpoint2":[
{
"memberOf":[
"CN=TST-Group2%OU=Groups,OU=OU,DC=com%",

"CN=TST-Group17%OU=Groups,OU=OU,DC=com%"
]
}
]
}

3 REPLIES 3

mayankshah
New Contributor III
New Contributor III

You can also use wildcards in the group name for importing groups using %. 

{
"Endpoint1":[
{
"memberOf":[
"CN=TST-Group1%,OU=Groups,OU=OU,DC=com%"]
}
],
"Endpoint2":[
{
"memberOf":[
"CN=TST-Group17%,OU=Groups,OU=OU,DC=com%"
]
}
]
}

 

Note: There was a no ',' after CN ends from your above code.

DaanishJawed
Saviynt Employee
Saviynt Employee

Hi @Olesia ,

The only option would be listing the entitlements separately in the endpoint filter and not mentioning the Group17 entitlement in Endpoint 1.

So it will look like this based on the JSON you shared.

{
"Endpoint1":[
{
"memberOf":[
"CN=TST-Group1,OU=Groups,OU=OU,DC=com%",
"CN=TST-Group11,OU=Groups,OU=OU,DC=com%",
"CN=TST-Group12,OU=Groups,OU=OU,DC=com%",
"CN=TST-Group13,OU=Groups,OU=OU,DC=com%",
"CN=TST-Group14,OU=Groups,OU=OU,DC=com%",
"CN=TST-Group15,OU=Groups,OU=OU,DC=com%",
"CN=TST-Group16,OU=Groups,OU=OU,DC=com%",
"CN=TST-Group18,OU=Groups,OU=OU,DC=com%",
]
}
],
"Endpoint2":[
{
"memberOf":[
"CN=TST-Group2%OU=Groups,OU=OU,DC=com%",
"CN=TST-Group17,OU=Groups,OU=OU,DC=com%",
]
}
]
}

In case, you are bringing entitlements in bulk, then it would be an enhancement request to exclude certain entitlements in the ENDPOINT_FILTER JSON. You can submit the enhancement request in the Ideas Portal - https://ideas.saviynt.com/ideas/

Thanks.

Olesia
Regular Contributor
Regular Contributor

Thank you for your replies,

I have created an enhancement idea: https://ideas.saviynt.com/ideas/EIC-I-4419