Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

deleteAllGroups attribute in Active Directory connector configurations

varunpuri
Regular Contributor
Regular Contributor
In the disableAccountJSON, there is a property named deleteAllGroups.
 
To enable the deleteAllGroups attribute, update the following configuration in the connection configuration for an endpoint.
<conf><ADDMEMBERTOENT>TRUE</ADDMEMBERTOENT><ADDUSERTOENT>TRUE</ADDUSERTOENT></conf>
 
While in the Creating Endpoints guide (https://saviynt.freshdesk.com/support/solutions/articles/43000556316-creating-endpoints), following is mentioned :
 
CONNECTION CONFIGURATION
Specify this parameter for managing Active Directory groups from the user interface.
Set the value of ConnectionConfig to <ADDMEMBERTOENT>True</ADDMEMBERTOENT>.
In Show Endpoints, add <conf><ADDMEMBERTOENT>True</ADDMEMBERTOENT> </conf> in the ConnectionConfig parameter.
Specify <ADDMEMBERTOENT>True</ADDMEMBERTOENT> between <conf> and </conf>.
 
At both the above places, the context behind setting this value is different, the connector guide asks to set it in order to be able to enable deleteAllGroups attribute, while the Creating Endpoints guide asks to set it in order to be able to create/delete groups in AD from the Saviynt UI.
 
Please let us know, whether the deleteAllGroups attribute will work without setting this configuration or not ?
 
When we try to add this exact value in the Connection Configuration of AD endpoint, we get the following error : Operation not allowed, as you are entering a value that resembles or contains script code.
 
 
5 REPLIES 5

Enakshi
Saviynt Employee
Saviynt Employee

<conf><ADDMEMBERTOENT>TRUE</ADDMEMBERTOENT><ADDUSERTOENT>TRUE</ADDUSERTOENT></conf> --> Try this if you're in lower version (v5.5SP3.x or v5.5SP5.x)

{ "conf":[ {"ADDUSERTOENT":"TRUE"}, {"ADDMEMBERTOENT":"TRUE"} ]} --> Try this if you're in higher version (v2021 or v2022)

varunpuri
Regular Contributor
Regular Contributor

Thank You, Enakshi

Kindly also clarify the context for which this configuration can be used.

1. At the time of Account Disable - is this configuration mandatory if deleteAllGroups attribute has to be used in the disableAccountJSON ?
2. Or, this configuration is required only so that Saviynt is able to create/delete groups in AD.
3. Or, for both the above ?

Best Regards,

Varun

This is a mandatory configuration to remove AD groups from user on disable/deprovision.

varunpuri
Regular Contributor
Regular Contributor

Thank You, Enakshi. I'll try this configuration out and revert back on the findings.

Best Regards,
Varun

deleteAllGroups will remove all groups when account will be disabled .


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.