We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

AD Group Management : Group Owner in createUpdateMapping

varunpuri
Regular Contributor
Regular Contributor

Hi,

We have a requirement to manage AD Groups via Saviynt. The request for Group Creation will come from Service Now via an API call - this part is working. The API is also pushing the owner information. Below is a small section of the payload which shows the owner being pushed :

varunpuri_0-1683120590339.png

As a result of this API call, the Create Entitlement task is getting generated. 

Problem : The owner information needs to be pushed in AD in the managedBy attribute. How can this be done in the createUpdateMapping. If we specify the following mapping :

"managedBy":"${allOwner}",

Then, in the logs, we can see that the allOwner variable is being replaced with the actual value as shown below :

varunpuri_1-1683120746122.png

But, it is also resulting in an error which says :

varunpuri_4-1683121013506.png

On the other hand, just for testing purpose, when we provided a complete distinguishedName of any one user in the mapping as :

varunpuri_3-1683120971209.png

Then the group is getting created and the owner value is getting set in managedBy attribute also.

varunpuri_5-1683121173644.png

 

5 REPLIES 5

Darshanjain
Saviynt Employee
Saviynt Employee

HI @varunpuri 

As mentioned in the doc you can use the ownerAccountListMap variable and use it fetch the accountid of the owners. below is the sample to check if owners size is not zero and owners are not null then fetch the accountid if not as null, Modify it accordingly

 

Thanks

Darshan

 

"managedBy": "${allOwnerList?.size()>0 && ownerAccountListMap.size()>0 && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).get(0)?.accountID:null}"

varunpuri
Regular Contributor
Regular Contributor

Hello @Darshanjain ,

The AD connector guide does not provide any sample JSON around the usage of ownerAccountListMap. Thank You for sharing. 

However, when i used the above snippet in createUpdateMapping, it is throwing the below error :

varunpuri_0-1683124135028.png

Best Regards,
Varun

The above error suggests that the value passed is invalid, can you check that the owner Account Id is present and it has valid DN.

Its an LDAP error which you need to check and handle it.

 

Thanks

Darshan

Thank You, @Darshanjain - I had to replace accountId with one of the customproperties which held the distinguishedName of AD. It worked now.

One more question - I have also configured a User Update Rule which triggers the Action - Transfer Entitlement Ownership in case the primary owner leaves the organization. I then ran the leaver process for the current owner and can see that the ownership of entitlement got changed but within Saviynt. It has NOT resulted in the generation of any task which will cause the update of managedBy attribute in AD also. Any pointers around how to achieve this ?

Better to raise this in a separate topic , would reply there accordingly.

 

Thanks

Darshan