Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Additional AD groups are reconciling which are not part of advanceGroupFilter but memberOf accounts

BalajiE
New Contributor
New Contributor

‎08/08/2024 05:06 AM

Hi Team,

We have a requirement to reconcile only few OU groups in Active Directory. But few additional groups are reconciling which are memberOf some accounts.

We need to reconcile only Application and Server OUs. Which is defined in  advanceGroupFilter. As observed, we are getting additional groups from Domain OU due to some users which we reconcile are having memberOf of Domain groups.

BalajiE_0-1723118479318.png

"advanceGroupFilter": {
"memberOf": {
"OU=Server,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
],
"OU=Application,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
]
}

Customer don't want to reconcile these additional groups which Saviynt is not managing. Please let us know, how we restrict these additional groups.

 

1 person had this problem.
Labels:
0 Kudos
9 REPLIES 9

rushikeshvartak
All-Star
All-Star

‎08/08/2024 06:02 AM

If those are assigned to account it will be pulled


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

BalajiE
New Contributor
New Contributor
In response to rushikeshvartak

‎08/08/2024 06:16 AM

Hi @rushikeshvartak 

Yes, those are assigned to some accounts. is there any why to restrict to reconcile?

Like 1) limiting access to service account which used in connection?

2) any addition configuration that can be done in Saviynt to deny the specific OU recon? 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to BalajiE

‎08/08/2024 06:21 AM

See if below works

"advanceGroupFilter": {
"memberOf": {
"OU=Server,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
],
"OU=Application,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
]
},
"exclude": {
"OU=Domain,DC=XXX": [
"(!(distinguishedName=*,OU=Server,OU=Security Groups,DC=XXX))",
"(!(distinguishedName=*,OU=Application,OU=Security Groups,DC=XXX))"
]
}
}


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

BalajiE
New Contributor
New Contributor
In response to rushikeshvartak

‎08/08/2024 07:35 AM

Hi @rushikeshvartak 

I have tried above Json to exclude Domain OU, still same issue.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to BalajiE

‎08/08/2024 09:29 AM

You need to raise idea ticket 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

NM
Honored Contributor II
Honored Contributor II

‎08/08/2024 07:57 AM

Hi @BalajiE , if they are assigned to account they will be pulled into saviynt..

What you can do is restrict it in saviynt.

Only show which all are relevant at the time of request.

0 Kudos

BalajiE
New Contributor
New Contributor
In response to NM

‎08/08/2024 09:55 AM

Hi @NM 

Yes, we have already restricted all these groups from the request. 

Even though those groups are not requestable, these groups are sensitive one so customer don't want other applications should read. 

Wanted to know, is there any possibility to restrict to read from Saviynt or Target Side.  

 

 

0 Kudos

NM
Honored Contributor II
Honored Contributor II
In response to BalajiE

‎08/08/2024 10:05 AM

@BalajiE , nope AD connector offer minimal customization in comparison to rest 

Raise an idea :light_bulb: 

0 Kudos

BalajiE
New Contributor
New Contributor

‎08/09/2024 08:13 AM

Hi @NM @rushikeshvartak 

Created Idea. Additional AD groups are reconciling which are | Saviynt Ideas Portal

0 Kudos
Copyright © 2024 Khoros, LLC