and more in a single search tool across platforms. Read the announcement here. |
01/08/2024 06:09 PM
We have an Endpoint for Active Directory accounts. We want to create unique AD accounts for new joiners. For eg. for user 1 with name 'Amit Sharma', Saviynt should create an AD account with DN: 'CN=Amit Sharma,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local' and for another user2 with same name 'Amit Sharma', Saviynt should create another AD account with DN: ' CN=Amit Sharma1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local'. We have configured the "Account Name Rule" with Advanced Config because we want the distinguishedName as the Account name.
concat('CN=',users.displayname,',OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')
But Saviynt always attempts to create a task with Account name: 'CN=Amit Sharma,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local' for the 2nd user instead of 'CN=Amit Sharma1' and the Task status results in 'Error' with error message: 'Account with same name already associated to another user - (299849) in the same endpoint, so task is not processed'.
It does not even go to the ADSI connector configuration in the logs. Security System is configured with ADSI Connector.
We don't want to use Basic Config Auto Increment option as it does not satisfy our DN requirement. We also do not want to use FN_EIC_SEQGEN DB function because it will always append a number for all AD accounts even if they are unique.
Is this possible in Saviynt? The same works in 'System Username Generation Rule' and 'Email Generation Rule'.
The Saviynt logs has a message: "Checking for endpoint : 6 and entitlements-NULL; ExistingAccObj-null" which leads me to suspect it maybe a Saviynt bug.
Solved! Go to Solution.
01/08/2024 06:13 PM
Remove - Check Unique Account : & Run microservices Job
01/10/2024 01:17 AM
Thanks @rushikeshvartak. I removed the Check Unique Account and ran the microservice job. It didn't help. I can see in the logs: ExistingAccObj-null. Saviynt didn't detect an existing account object before creating the Task. But later when executing the Task, Task status results in 'Error' with error message: 'Account with same name already associated to another user - (299849) in the same endpoint, so task is not processed'.
01/15/2024 10:39 PM
Hi
This suggestion didn't work. Is there any other suggestion please or is it a bug that Support needs to look into?
01/15/2024 10:50 PM
Did you raise new request
01/18/2024 05:20 AM
When you raise new account does account name properly shown ?
01/18/2024 01:02 AM
Hello @binoy,
Can you try to add "All" in Check Unique Account and try again.
Thanks.
01/18/2024 09:44 PM
I've tried with 'All' in Check Unique Account. It didn't help and its still the same error.
Thanks
01/18/2024 10:04 PM
delete and recreate rule
01/19/2024 01:05 AM
Tried that. Switched to 'Basic Config' which deleted the previous rule and switched back to 'Advanced Config'. Did not help.
This is a simplified version of our Advanced Config, we have to specify the whole DN as the Account ID because of two AD domains.
concat('CN=',users.displayname,',OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'1,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')#concat('CN=',users.displayname,'2,OU=Store Support Users,OU=Corporate,DC=DEVNET,DC=local')
01/19/2024 05:52 AM
Issue still exists ?
does second account name populate on ars ?
01/22/2024 06:44 PM
It works from ARS. There is a log statement "Account CN=... exists so ignoring rule..." and it evaluates the 2nd user account name rule.
However, it still fails from Technical Rule. The issue is it does not detect the existing account.
01/22/2024 08:56 PM
Its looks like defect, Please raise support ticket
01/22/2024 09:18 PM
Thanks @rushikeshvartak
Isn't this a basic use case that other customers would have implemented already?
01/22/2024 09:21 PM
ideally it should work but via technical rule its not printing rule itself