Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Check if Azure AD account exists in Saviynt during user import

Abhay_Yadav
New Contributor II
New Contributor II

Hi All,

We are developing solution for birthright of user. We have hybrid AD and Azure AD setup(Account created in AD is Synced to Azure AD automatically).

Ther Solution we are implementing is as follows:

1. User onboarded from HR Source Import.

2. Technical rule marked as birth right runs and creates AD account

3. Run Azure Account Import after 30 mins as Sync time is 30 mins for AD and Azure AD.

4. Run User import from Azure AD. This is marked to only update the User and new users are not onboarded using this.

5. Step 4 also checks a customproperty23 if it is null then Preprocessor updated this to Process Birth right.

6. As soon as cp23 is updated User Update rule runs and triggers technical rules which gives access to birthright.

 

Everything is working fine with this approach. 

Only issue is if Azure AD account import does not import the account of the user and User import runs before that then it will trigger the birth right and saviynt will try to create a new Azure ad account for user.

---> To avoid this, is there a way to check if users Azure AD account exists in Saviynt using Preprocessor Query. If account does not exists in saviynt i will not update the birthright trigger. If account exists then birthright trigger will be updated in cp23.

 

Regards,

Abhay Yadav

4 REPLIES 4

rushikeshvartak
All-Star
All-Star

Yes you can check by using accounts table in preproessor

Refer sample https://forums.saviynt.com/t5/identity-governance/preprocessor-query-to-check-entitlement-assignment...

 

{
  "ADDITIONALTABLES": {
    "USERS": "SELECT USERKEY, USERNAME FROM USERS",
    "ACCOUNTS": "SELECT * FROM ACCOUNTS",
    "USER_ACCOUNTS": "SELECT * FROM user_accounts"
  },
  "COMPUTEDCOLUMNS": [
    "CUSTOMPROPERTY23"
  ],
  "PREPROCESSQUERIES": [
    "UPDATE NEWUSERDATA NU SET customproperty23 = (SELECT 'Birthright' FROM CURRENTUSERS CU JOIN CURRENTUSER_ACCOUNTS CUA ON CU.USERKEY = CUA.USERKEY JOIN CURRENTACCOUNTS CA ON CUA.ACCOUNTKEY = CA.ACCOUNTKEY JOIN CURRENTENDPOINTS CE ON CA.ENDPOINTKEY = CE.ENDPOINTKEY WHERE CU.USERNAME = NU.USERNAME AND CE.ENDPOINTNAME = 'AzureAD')"
  ]
}

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

stalluri
Valued Contributor II
Valued Contributor II

@Abhay_Yadav 
You can try this below.

{
"ADDITIONALTABLES": {
"USERS": "SELECT USERKEY, USERNAME FROM USERS",
"ACCOUNTS": "SELECT * FROM ACCOUNTS",
"user_accounts": "SELECT * FROM user_accounts"
},
"COMPUTEDCOLUMNS": [
"CUSTOMPROPERTY23"
],
"PREPROCESSQUERIES": [
"UPDATE NEWUSERDATA SET customproperty23= (SELECT 'Birthright' FROM CURRENTUSERS CU JOIN CURRENTUSER_ACCOUNTS CUA ON CU.USERKEY = CUA.USERKEY JOIN CURRENTACCOUNTS CA ON CUA.ACCOUNTKEY = CA.ACCOUNTKEY JOIN CURRENTENDPOINTS CE ON CA.ENDPOINTKEY = CE.ENDPOINTKEY WHERE CU.USERNAME = NU.USERNAME AND E.ENDPOINTNAME = 'AzureAD';
)"
]
}

 


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

NM
Honored Contributor II
Honored Contributor II

Hi @Abhay_Yadav you can create a trigger chain and have account import job run before user import job.

Amit_Malik
Valued Contributor II
Valued Contributor II

Only issue is if Azure AD account import does not import the account of the user and User import runs before that then it will trigger the birth right and saviynt will try to create a new Azure ad account for user.

You can use trigger chain job to solve this problem. 

is there a way to check if users Azure AD account exists in Saviynt using Preprocessor Query

if the account doesn't exist dues to account import not ran yet. The query will also not know that, it will still set the attribute to birthright and trigger rule.

 

Either , you can use trigger job (validate accounts table in preprocessor or not is your choice, that to me looks a safety filter)

Or Instead of using Azure user import job, use Sav4Sav user import and take data from Azure accounts to Saviynt user and also update birthright attribute when needed

 

 

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".