Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

ADSI connector support for nested groups

GauravJain
Regular Contributor III
Regular Contributor III

Hi

I wanted to confirm following w.r.t ADSI group management in Saviynt:

  1. Do ADSI connector support nested groups - can we add a child / parent group while creating a Group from "Create ADSI Groups" screen?
  2. While creating a group from "Create ADSI Groups" screen if we add a group owner then Saviynt updates it in AD's managedBy attribute or just stores it in Saviynt?
  3. If we add below configuration for "managedBy" in CREATEGROUPJSON but while creating a new group if we don't select a group owner then group creation also fails. Otherwise it works. what wrong with this configuration
"managedBy": "${ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.name:null}"

Working config for CREATEGROUPJSON in ADSI connector

{
  "objects": [
    {
      "objectClasses": ["group"],
      "baseDn": "${role.customproperty24}",
      "attributes": {
        "cn": "${role.displayname}",
        "name": "${role.displayname}",
        "samaccountname": "${role.displayname}",
        "description": "${role.description}",
        "displayName": "${role.displayname}",
        "groupType": "${role?.customproperty21 == 'Security' && role?.customproperty22 == 'Global'?'-2147483646' : role?.customproperty21=='Security'&&role?.customproperty22=='Universal'?'-2147483640' : role?.customproperty21== 'Security'&&role?.customproperty22=='Domain Local' ? '-2147483644':role?.customproperty21=='Distribution'&&role?.customproperty22=='Global' ? '2':role?.customproperty21== 'Distribution'&&role?.customproperty22=='Universal'?'8':role?.customproperty21=='Distribution'&& role?.customproperty22=='Domain Local'?'4':''}"
      }
    }
  ]
}
8 REPLIES 8

rushikeshvartak
All-Star
All-Star
  1. Do ADSI connector support nested groups - can we add a child / parent group while creating a Group from "Create ADSI Groups" screen? - No child Groups needs to be created /exists first.
  2. While creating a group from "Create ADSI Groups" screen if we add a group owner then Saviynt updates it in AD's managedBy attribute or just stores it in Saviynt? - Saviynt will store in Saviynt. If you map in JSON it will also send to target
  3. If we add below configuration for "managedBy" in CREATEGROUPJSON but while creating a new group if we don't select a group owner then group creation also fails. Otherwise it works. what wrong with this configuration - What is error ?

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

GauravJain
Regular Contributor III
Regular Contributor III

Thanks @rushikeshvartak for quick revert.

On point 2 - Target was not updated with owner information even after putting a configuration for "managedBy" in CREATEGROUPJSON json as mentioned above. There is no error in logs for this. i have logged a FD as well for this.

On point 3 - following is the error message in logs with httpParams and responseText - not able to evaluate groovy expressions

httpParams: [objects:[[objectClasses:[group], baseDn:${role.customproperty24}, attributes:[cn:${role.displayname}, name:${role.displayname}, samaccountname:${role.displayname}, description:${role.description}, displayName:${role.displayname}, groupType:${role?.customproperty21 == 'Security' && role?.customproperty22 == 'Global'?'-2147483646' : role?.customproperty21=='Security'&&role?.customproperty22=='Universal'?'-2147483640' : role?.customproperty21== 'Security'&&role?.customproperty22=='Domain Local' ? '-2147483644':role?.customproperty21=='Distribution'&&role?.customproperty22=='Global' ? '2':role?.customproperty21== 'Distribution'&&role?.customproperty22=='Universal'?'8':role?.customproperty21=='Distribution'&& role?.customproperty22=='Domain Local'?'4':''}, managedBy:${ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.name:null}]]], connectionString:[LDAP://domain:636]]

responseText:{| status": "Failure" | "failedObjects": [| {| "id": "${role.customproperty24}" | "status": "Failure" | "message": "Failed to create object of given objectClasses" | "messageCodes": "OBJ_ERR_00001" | "errorDetails": "OBJ_ERR_00001 : -2147016654 : An invalid dn syntax has been specified. : 0000208F: NameErr: DSID-03100225 problem 2006 (BAD_NAME) data 8350 best match of:\n\t'${role.customproperty24}'\n"| }| ] | "connectionString": "LDAP://domain:636"|}


Error in createOrUpdateGroups :
"java.lang.Exception: Error while GROUP CREATION IN ADSI at com.saviynt.provisoning.adsi.AdsiGroupManagementService.createOrUpdateGroups(AdsiGroupManagementService.groovy:156) at com.saviynt.provisoning.adsi.AdsiGroupManagementService.createUpdateDeleteGroupADSI(AdsiGroupManagementService.groovy:67) at com.saviynt.ecm.services.ArsTaskService.createEntitlementTarget(ArsTaskService.groovy:16815) at com.saviynt.ecm.services.ArsTaskService$_processParentTask_closure206.doCall(ArsTaskService.groovy:17055) at com.saviynt.ecm.services.ArsTaskService.processParentTask(ArsTaskService.groovy:17045) at com.saviynt.ecm.services.ArsTaskService.createEntitlement(ArsTaskService.groovy:16852) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:212) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"

 

Validate in latest v24.7 version


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

GauravJain
Regular Contributor III
Regular Contributor III

Are you saying this will not work in 24.4 version?

To check if its not version issue validate in latest version.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

GauravJain
Regular Contributor III
Regular Contributor III

that's something we will have to plan, cant just update version in the environment. Also, don't see anything w.r.t to this in relase notes for 24.7. I will raise a FD ticket for this. thanks.

NM
Honored Contributor II
Honored Contributor II

Hi @GauravJain  try this once

"managedBy": "${ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.name:''}"

GauravJain
Regular Contributor III
Regular Contributor III

Hi @NM tried this but still getting same error as mentioned earlier.