Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/04/2024 09:51 AM
Hi All,
We are developing solution for birthright of user. We have hybrid AD and Azure AD setup(Account created in AD is Synced to Azure AD automatically).
Ther Solution we are implementing is as follows:
1. User onboarded from HR Source Import.
2. Technical rule marked as birth right runs and creates AD account
3. Run Azure Account Import after 30 mins as Sync time is 30 mins for AD and Azure AD.
4. Run User import from Azure AD. This is marked to only update the User and new users are not onboarded using this.
5. Step 4 also checks a customproperty23 if it is null then Preprocessor updated this to Process Birth right.
6. As soon as cp23 is updated User Update rule runs and triggers technical rules which gives access to birthright.
Everything is working fine with this approach.
Only issue is if Azure AD account import does not import the account of the user and User import runs before that then it will trigger the birth right and saviynt will try to create a new Azure ad account for user.
---> To avoid this, is there a way to check if users Azure AD account exists in Saviynt using Preprocessor Query. If account does not exists in saviynt i will not update the birthright trigger. If account exists then birthright trigger will be updated in cp23.
Regards,
Abhay Yadav
09/04/2024 09:56 AM - edited 09/04/2024 09:28 PM
Yes you can check by using accounts table in preproessor
Refer sample https://forums.saviynt.com/t5/identity-governance/preprocessor-query-to-check-entitlement-assignment...
{
"ADDITIONALTABLES": {
"USERS": "SELECT USERKEY, USERNAME FROM USERS",
"ACCOUNTS": "SELECT * FROM ACCOUNTS",
"USER_ACCOUNTS": "SELECT * FROM user_accounts"
},
"COMPUTEDCOLUMNS": [
"CUSTOMPROPERTY23"
],
"PREPROCESSQUERIES": [
"UPDATE NEWUSERDATA NU SET customproperty23 = (SELECT 'Birthright' FROM CURRENTUSERS CU JOIN CURRENTUSER_ACCOUNTS CUA ON CU.USERKEY = CUA.USERKEY JOIN CURRENTACCOUNTS CA ON CUA.ACCOUNTKEY = CA.ACCOUNTKEY JOIN CURRENTENDPOINTS CE ON CA.ENDPOINTKEY = CE.ENDPOINTKEY WHERE CU.USERNAME = NU.USERNAME AND CE.ENDPOINTNAME = 'AzureAD')"
]
}
09/04/2024 09:04 PM
@Abhay_Yadav
You can try this below.
{
"ADDITIONALTABLES": {
"USERS": "SELECT USERKEY, USERNAME FROM USERS",
"ACCOUNTS": "SELECT * FROM ACCOUNTS",
"user_accounts": "SELECT * FROM user_accounts"
},
"COMPUTEDCOLUMNS": [
"CUSTOMPROPERTY23"
],
"PREPROCESSQUERIES": [
"UPDATE NEWUSERDATA SET customproperty23= (SELECT 'Birthright' FROM CURRENTUSERS CU JOIN CURRENTUSER_ACCOUNTS CUA ON CU.USERKEY = CUA.USERKEY JOIN CURRENTACCOUNTS CA ON CUA.ACCOUNTKEY = CA.ACCOUNTKEY JOIN CURRENTENDPOINTS CE ON CA.ENDPOINTKEY = CE.ENDPOINTKEY WHERE CU.USERNAME = NU.USERNAME AND E.ENDPOINTNAME = 'AzureAD';
)"
]
}
09/05/2024 01:31 AM
Hi @Abhay_Yadav you can create a trigger chain and have account import job run before user import job.
09/05/2024 01:58 AM
Only issue is if Azure AD account import does not import the account of the user and User import runs before that then it will trigger the birth right and saviynt will try to create a new Azure ad account for user.
You can use trigger chain job to solve this problem.
is there a way to check if users Azure AD account exists in Saviynt using Preprocessor Query
if the account doesn't exist dues to account import not ran yet. The query will also not know that, it will still set the attribute to birthright and trigger rule.
Either , you can use trigger job (validate accounts table in preprocessor or not is your choice, that to me looks a safety filter)
Or Instead of using Azure user import job, use Sav4Sav user import and take data from Azure accounts to Saviynt user and also update birthright attribute when needed