Click HERE to see how Saviynt Intelligence is transforming the industry. |
08/08/2024 05:06 AM
Hi Team,
We have a requirement to reconcile only few OU groups in Active Directory. But few additional groups are reconciling which are memberOf some accounts.
We need to reconcile only Application and Server OUs. Which is defined in advanceGroupFilter. As observed, we are getting additional groups from Domain OU due to some users which we reconcile are having memberOf of Domain groups.
"advanceGroupFilter": {
"memberOf": {
"OU=Server,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
],
"OU=Application,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
]
}
Customer don't want to reconcile these additional groups which Saviynt is not managing. Please let us know, how we restrict these additional groups.
08/08/2024 06:02 AM
If those are assigned to account it will be pulled
08/08/2024 06:16 AM
Yes, those are assigned to some accounts. is there any why to restrict to reconcile?
Like 1) limiting access to service account which used in connection?
2) any addition configuration that can be done in Saviynt to deny the specific OU recon?
08/08/2024 06:21 AM
See if below works
"advanceGroupFilter": {
"memberOf": {
"OU=Server,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
],
"OU=Application,OU=Security Groups,DC=XXX": [
"(&(objectClass=group))"
]
},
"exclude": {
"OU=Domain,DC=XXX": [
"(!(distinguishedName=*,OU=Server,OU=Security Groups,DC=XXX))",
"(!(distinguishedName=*,OU=Application,OU=Security Groups,DC=XXX))"
]
}
}
08/08/2024 07:35 AM
Hi @rushikeshvartak
I have tried above Json to exclude Domain OU, still same issue.
08/08/2024 09:29 AM
You need to raise idea ticket
08/08/2024 07:57 AM
Hi @BalajiE , if they are assigned to account they will be pulled into saviynt..
What you can do is restrict it in saviynt.
Only show which all are relevant at the time of request.
08/08/2024 09:55 AM
Hi @NM
Yes, we have already restricted all these groups from the request.
Even though those groups are not requestable, these groups are sensitive one so customer don't want other applications should read.
Wanted to know, is there any possibility to restrict to read from Saviynt or Target Side.
08/08/2024 10:05 AM
@BalajiE , nope AD connector offer minimal customization in comparison to rest
Raise an idea :light_bulb:
08/09/2024 08:13 AM