Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

AD Service Accounts: Correlating Owners, Managers, and Ownership Transfer

AtrayeeDutta
Regular Contributor
Regular Contributor

Hello Team,

We are currently working on a requirement that involves correlating Active Directory Service Accounts with their respective primary owners (using Rank 1 as the primary owner and Rank 2 as the secondary owner). As part of this process, we need to ensure that when a Rank 1 owner's employment is terminated, their ownership is automatically transferred to their manager. Additionally, the Rank1 owner's manager should be correlated with the Service Account.

We have successfully managed the transfer of ownership to the manager through a user update rule. However, there are two main tasks that we still require help with:

  • First, we are seeking guidance on properly associating the Rank 1 owner with the Service Account.
  • Second, upon termination of Rank1 owner we need to determine how to correlate the Rank 1 owner's manager effectively.

We came across a suggestion to use the Sav4Sav REST connector to achieve this, below is the link, would appreciate any guidance or assistance on how to proceed.
Service Account import from Active Directory - Saviynt Forums - 18679

Regards,


6 REPLIES 6

rushikeshvartak
All-Star
All-Star

You need to use saviynt REST API to achieve above use cases.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AtrayeeDutta
Regular Contributor
Regular Contributor

Could you please provide more details? We have attempted to implement a hardcoded solution, which successfully correlated the data. However, while trying to dynamically apply this solution, we encountered an error.

Here is the UpdateAccountJSON we used:


{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://xxxxxxxxxxxxxxxxxxxx/ECM/api/v5/assignAccountToUser",
"httpMethod": "POST",
"httpParams": "{\"securitysystem\": \"Active_Directory\", \"endpoint\": \"Active_Directory\", \"accountname\": \"${(ServiceAccountOwnerMap.get('ServiceAccountType') == 'Service Account') ? accountname : null}\", \"username\": \"${ServiceAccountOwnerMap.USEROWNERNAMES.get('1')}\"}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"successResponses": [
{
"message": "Updated Successfully"
}
]
}
]
}

can you share logs what parameters are being sent in configJSON showlogs =true


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Please find attached logs, I have also tested out with below UpdateAccountJSON but it still giving error

{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ECM/api/v5/assignAccountToUser",
"httpMethod": "POST",
"httpParams": "{\"securitysystem\": \"Active_Directory_Lab\", \"endpoint\": \"Active_Directory_Lab\", \"accountname\": \"${(ServiceAccountOwnerMap.get('ServiceAccountType') == 'Service Account') ? accountname : null}\", \"username\": \"${ServiceAccountOwnerMap.USEROWNERNAMES.get('1')}\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json"
}
]
}

Does task id is 1095928 & Please check if automated provisioning is enabled


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

AtrayeeDutta
Regular Contributor
Regular Contributor

Yes, task id is 1095928 and automated provisioning is enabled.