Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

AD Group Management : Group Owner in createUpdateMapping

Regular Contributor
Regular Contributor


We have a requirement to manage AD Groups via Saviynt. The request for Group Creation will come from Service Now via an API call - this part is working. The API is also pushing the owner information. Below is a small section of the payload which shows the owner being pushed :


As a result of this API call, the Create Entitlement task is getting generated. 

Problem : The owner information needs to be pushed in AD in the managedBy attribute. How can this be done in the createUpdateMapping. If we specify the following mapping :


Then, in the logs, we can see that the allOwner variable is being replaced with the actual value as shown below :


But, it is also resulting in an error which says :


On the other hand, just for testing purpose, when we provided a complete distinguishedName of any one user in the mapping as :


Then the group is getting created and the owner value is getting set in managedBy attribute also.




Saviynt Employee
Saviynt Employee

HI @varunpuri 

As mentioned in the doc you can use the ownerAccountListMap variable and use it fetch the accountid of the owners. below is the sample to check if owners size is not zero and owners are not null then fetch the accountid if not as null, Modify it accordingly





"managedBy": "${allOwnerList?.size()>0 && ownerAccountListMap.size()>0 && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).get(0)?.accountID:null}"

Regular Contributor
Regular Contributor

Hello @Darshanjain ,

The AD connector guide does not provide any sample JSON around the usage of ownerAccountListMap. Thank You for sharing. 

However, when i used the above snippet in createUpdateMapping, it is throwing the below error :


Best Regards,

The above error suggests that the value passed is invalid, can you check that the owner Account Id is present and it has valid DN.

Its an LDAP error which you need to check and handle it.




Thank You, @Darshanjain - I had to replace accountId with one of the customproperties which held the distinguishedName of AD. It worked now.

One more question - I have also configured a User Update Rule which triggers the Action - Transfer Entitlement Ownership in case the primary owner leaves the organization. I then ran the leaver process for the current owner and can see that the ownership of entitlement got changed but within Saviynt. It has NOT resulted in the generation of any task which will cause the update of managedBy attribute in AD also. Any pointers around how to achieve this ?

Better to raise this in a separate topic , would reply there accordingly.