We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Displayname must be the same as CN value while creating groups in Active Directory through API

Caesrob
Regular Contributor
Regular Contributor
While trying to create groups in Active Directory through the API with a different displayname than cn name, we ran into a bug (or at least we think it's a bug). 
The entitlement_value of our entitlement is different than our displayname. The entitlement_value has the complete DN of the group in Active Directory while the displayname is a shortened name for the group. When provisioning this new group to Active Directory after creating the entitlement on Saviynt, this throws an error.
 
 I will post screenshots in order to show which steps have been taken to reproduce this issue. 
Screenshot 1-4 shows an entitlement with the same displayname as cn value being provisioned, this works.
Screenshot 5-7 shows an entitlement with a different displayname than cn value being provisioned, this doesn't work.
testBug2 errors csv file shows the errors when trying to provision the group. You can see here that cn, sAMaccountName and name are being resolved to "testBugdisplayname" which is not correct. This should be the cn of the entitlement_value.
 
NOTE: When provisioning groups which have the same displayname as CN value in the entitlement_value, it works fine. 
 
Below you can find our createUpdateMappings JSON in the Active Directory connector. This is almost completely copied from the documentation. 
"cn": "${role?.customproperty27}",
"objectCategory": "CN=Group,CN=Schema,CN=Configuration,DC=dev-uni,DC=uhasselt,DC=be",
"displayName": "${role?.displayname}",
"description": "${role?.description}",
"sAMAccountName": "${role?.customproperty27}",
"objectClass": "group",
"name": "${role?.customproperty27}",
"groupType": "${role?.customproperty21 == 'Security' && role?.customproperty22 == 'Global' ? '-2147483646': role?.customproperty21 == 'Security' && role?.customproperty22 == 'Universal' ? '-2147483640' : role?.customproperty21 == 'Security' && role?.customproperty22 == 'Domain Local' ? '-2147483644' : role?.customproperty21 == 'Distribution' && role?.customproperty22 == 'Global' ? '2' : role?.customproperty21 == 'Distribution' && role?.customproperty22 == 'Universal' ? '8' : role?.customproperty21 == 'Distribution' && role?.customproperty22 == 'Domain Local' ? '4' : ''}"
 
I'll post screenshot 5,6 and 7 here since I can't attach more than 4 files.
 
SS5:
Caesrob_2-1699954773490.png

SS6:

Caesrob_3-1699954791893.png

 

SS7:
Caesrob_4-1699954803971.png

 

 
3 REPLIES 3

saikanumuri
Saviynt Employee
Saviynt Employee

Hi @Caesrob 

Thanks for reaching out. Can you please share the error from the logs when the display name is different?

Caesrob
Regular Contributor
Regular Contributor

Ye, sure!

This is the entitlement we made (CN=TestCN, displayname=TestDisplayname):

Caesrob_2-1700562790086.png

 

Here is the error we receive in the logs:

Caesrob_3-1700562900886.png

 

We also see this in the logs. It seems that the customproperty27 in the role (which we copied from documentation) is setting the displayname as sAMAccountname and CN of the group, which isn't correct.

Caesrob_4-1700562952813.png

 

 

Dave
Community Manager
Community Manager

@Caesrob - Do you still need assistance with this matter?