Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Dont create an AD account if the user already has an existing one.

Ivan5533
Regular Contributor
Regular Contributor

Hello,

We have a use case in which we import AD accounts and correlate them with the user, when we read the SAP user triggers the technical rule that creates an AD account and creates a New account task (which fails because there is already an account with the same values in AD) emphasize that when the SAP user is imported, the existing account and the user is mapped correctly, but Saviynt tries to create an additional account. Is there any way to limit this and not create the AD account if the user already has an existing one?

I can think of creating a query in the technical rule that checks if the user already has an AD account, but I would like to know if there are other alternatives.

Thank you!

Ivan

12 REPLIES 12

naveenss
All-Star
All-Star

Hi @Ivan5533 Can you please share the configurations of the rule?

 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

Hello,

 

I´m Ivan´s colleague. Our actual rule´s configuration looks like this: 

alanrojas_0-1717605230093.png

Thank you,

 

Regards,

Alan Rojas

rushikeshvartak
All-Star
All-Star

Share endpoint configuration and account name rule


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hello,

Regarding the endpoint configuration, we only have these on: 

alanrojas_1-1717605385993.png

Regarding the account name rule, this is the sql query that generates it: 

alanrojas_2-1717605473513.png

Thank you,

 

Best regards,

Alan Rojas

You can use advanced query in technical / user update rule to validate if user has account already or not


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @rushikeshvartak 

Could you provide me a sample?

Thank you,

Iván

(##a.location isupdated##) and a.id not in (select distinct us.userkey from User_accounts us, Accounts cc, Endpoints ep where us.accountkey=cc.id and cc.endpointkey =ep.id and ep.endpointname='ESS Application Access')


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

PremMahadikar
Valued Contributor
Valued Contributor

Hi @Ivan5533 ,

If you are looking for a sample to trigger technical/user update rules to check account existence - Below is the answer:

a.statuskey=1 and customproperty10='White' and a.id not in (select ua.userkey from Accounts acc, User_accounts ua, Endpoints e where acc.id=ua.accountkey and acc.endpointkey=e.id and e.endpointname='<AD Endpoint Name>')

Doc Reference: Obtaining the attribute details from tables other than the Users table for the Advanced Config query...

PremMahadikar_0-1717659785652.png

 

If this helps your question, please consider selecting Accept As Solution and hit Kudos

Hello,

 

We have tried your query, but it is not working because of the use case. Let me explain it to you.

First, we are creating an account in AD, then we are importing it to Saviynt. After that, we are creating the Identity which is going to correlate with the account imported. At last, we execute again the import job so the account correlates with the identity.

Thus, it becomes clear that during the Identity import process, the query fails to recognize the existence of an account since it has not yet been correlated.

How could we achieve our goal? Could you please help us in this issue?

Thank you in advance.

 

Regards,

Alan Rojas

@alanrojas ,

You can still achieve it!

Is the account name same as any user attribute in your case?

Hi,

Finally we have achieved it this way, comparing one attribute of the user with another one in the accounts table, since the account was not correlated with the user at the moment of the import, we could not get it with a query that implied a join between the users and accounts table.

 

Kind regards,

Ivan

Please share configs


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.