Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Displayname must be the same as CN value while creating groups in Active Directory through API

Caesrob
Regular Contributor
Regular Contributor

‎11/14/2023 01:40 AM

While trying to create groups in Active Directory through the API with a different displayname than cn name, we ran into a bug (or at least we think it's a bug). 
The entitlement_value of our entitlement is different than our displayname. The entitlement_value has the complete DN of the group in Active Directory while the displayname is a shortened name for the group. When provisioning this new group to Active Directory after creating the entitlement on Saviynt, this throws an error.
 
 I will post screenshots in order to show which steps have been taken to reproduce this issue. 
Screenshot 1-4 shows an entitlement with the same displayname as cn value being provisioned, this works.
Screenshot 5-7 shows an entitlement with a different displayname than cn value being provisioned, this doesn't work.
testBug2 errors csv file shows the errors when trying to provision the group. You can see here that cn, sAMaccountName and name are being resolved to "testBugdisplayname" which is not correct. This should be the cn of the entitlement_value.
 
NOTE: When provisioning groups which have the same displayname as CN value in the entitlement_value, it works fine. 
 
Below you can find our createUpdateMappings JSON in the Active Directory connector. This is almost completely copied from the documentation. 
"cn": "${role?.customproperty27}",
"objectCategory": "CN=Group,CN=Schema,CN=Configuration,DC=dev-uni,DC=uhasselt,DC=be",
"displayName": "${role?.displayname}",
"description": "${role?.description}",
"sAMAccountName": "${role?.customproperty27}",
"objectClass": "group",
"name": "${role?.customproperty27}",
"groupType": "${role?.customproperty21 == 'Security' && role?.customproperty22 == 'Global' ? '-2147483646': role?.customproperty21 == 'Security' && role?.customproperty22 == 'Universal' ? '-2147483640' : role?.customproperty21 == 'Security' && role?.customproperty22 == 'Domain Local' ? '-2147483644' : role?.customproperty21 == 'Distribution' && role?.customproperty22 == 'Global' ? '2' : role?.customproperty21 == 'Distribution' && role?.customproperty22 == 'Universal' ? '8' : role?.customproperty21 == 'Distribution' && role?.customproperty22 == 'Domain Local' ? '4' : ''}"
 
I'll post screenshot 5,6 and 7 here since I can't attach more than 4 files.
 
SS5:
Caesrob_2-1699954773490.png

SS6:

Caesrob_3-1699954791893.png

 

SS7:
Caesrob_4-1699954803971.png

 

 
0 Kudos
3 REPLIES 3

saikanumuri
Saviynt Employee
Saviynt Employee

‎11/20/2023 01:56 AM

Hi @Caesrob 

Thanks for reaching out. Can you please share the error from the logs when the display name is different?

0 Kudos

Caesrob
Regular Contributor
Regular Contributor
In response to saikanumuri

‎11/21/2023 02:36 AM

Ye, sure!

This is the entitlement we made (CN=TestCN, displayname=TestDisplayname):

Caesrob_2-1700562790086.png

 

Here is the error we receive in the logs:

Caesrob_3-1700562900886.png

 

We also see this in the logs. It seems that the customproperty27 in the role (which we copied from documentation) is setting the displayname as sAMAccountname and CN of the group, which isn't correct.

Caesrob_4-1700562952813.png

 

 

0 Kudos

Dave
Community Manager
Community Manager

‎01/31/2024 08:51 AM

@Caesrob - Do you still need assistance with this matter?  

0 Kudos
Copyright © 2024 Khoros, LLC