Click HERE to see how Saviynt Intelligence is transforming the industry. |
02/17/2023 05:56 AM
The solution should be able to generate random password for specific users (Eg: Username starting with 'ABC') when a user is added via userimport over DB connection
and notify them over email with their username and password (randomly generated by Saviynt) so that they are able to logon to Saviynt EIC
This solution does not have SSO.
We have created a Password Policy for the same and set the scope as 'user' and have an user update rule that will check the
condition if username starts with 'ABC' and take action - Notify as an email
In the email template, when we are using '${user.password}' it is sending the same password 'NO_PASSWORD' to the users
How do we achieve this task?
02/17/2023 06:00 AM - edited 02/17/2023 06:01 AM
Use ${randompassword} for users whose username starts with 'ABC' since you are autogenerating.
Also I hope you already handled the logic in import when username starts with 'ABC' auto generate password instead of you assign the default password
02/17/2023 06:16 AM
How do we assign random autogenerate password in import logic and where do we assign it ?
02/17/2023 06:40 AM
I thought you are already assigning random password as part of User Import. Because by default saviynt doesn't require password to create/import users so all users will not have any password by default unless you mapping them as part of your import. Please share your USERIMPORT XML
02/17/2023 07:44 AM - edited 02/17/2023 07:45 AM
This is the UserImport XML we are using, Please let us know if we need to add any specific import settings, Thanks.
<dataMapping>
<sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
<![CDATA[Select USERID as username,firstname, lastname from db2db where USERID LIKE 'ABC%';
]]>
</sql-query>
<importsettings>
<zeroDayProvisioning>true</zeroDayProvisioning>
<generateEmail>false</generateEmail>
<userNotInFileAction>NOACTION</userNotInFileAction>
<checkRules>true</checkRules>
<buildUserMap>true</buildUserMap>
<generateSystemUsername>false</generateSystemUsername>
<userReconcillationField>username</userReconcillationField>
</importsettings>
<mapper description="This is the mapping field for Saviynt Field name">
<mapfield saviyntproperty="username" sourceproperty="username" type="character"></mapfield>
<mapfield saviyntproperty="firstname" sourceproperty="firstname" type="number"></mapfield>
<mapfield saviyntproperty="lastname" sourceproperty="lastname" type="character"></mapfield>
</mapper>
</dataMapping>
02/17/2023 08:00 AM - edited 02/17/2023 08:01 AM
I have personally not tried this but just want to give it a try.
Try to map password attribute and see if you are getting same value in email then you can think about implementing random password.
<dataMapping>
<sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
<![CDATA[Select USERID as username,firstname, lastname, 'Testing@1234' as usr_password from db2db where USERID LIKE 'ABC%';
]]>
</sql-query>
<importsettings>
<zeroDayProvisioning>true</zeroDayProvisioning>
<generateEmail>false</generateEmail>
<userNotInFileAction>NOACTION</userNotInFileAction>
<checkRules>true</checkRules>
<buildUserMap>true</buildUserMap>
<generateSystemUsername>false</generateSystemUsername>
<userReconcillationField>username</userReconcillationField>
</importsettings>
<mapper description="This is the mapping field for Saviynt Field name">
<mapfield saviyntproperty="username" sourceproperty="username" type="character"></mapfield>
<mapfield saviyntproperty="firstname" sourceproperty="firstname" type="number"></mapfield>
<mapfield saviyntproperty="lastname" sourceproperty="lastname" type="character"></mapfield>
<mapfield saviyntproperty="password" sourceproperty="usr_password" type="character"></mapfield>
</mapper>
</dataMapping>
And use ${user.password} as variable for password in email template
02/19/2023 11:16 PM
This will be security breach/audit concern don't use this method
02/20/2023 01:16 AM - edited 02/20/2023 06:46 AM
Tried it for the purpose of testing, it sends out an encrypted password,
and when we use '${randomPassword}' in the email template, the email isn't getting sent.
How can we overcome this?
02/20/2023 06:48 AM
Was able to login with password 'Test@123',
But how do we generate a random password and send it across in email?
${randomPassword} in UserImportJSON and EmailTemplate doesn't yield any results
02/17/2023 06:01 AM
Use techical birth right rules
02/17/2023 06:17 AM
Please can you share an example of the Action ?
02/19/2023 11:20 PM
You can try change password
02/19/2023 11:48 PM
Please can you elaborate on this as we don't have 'Change Password' under Technical rules ?
02/20/2023 02:49 AM
User Update Rule*
02/20/2023 06:30 AM
The next step here after choosing 'Change Password' prompts us to choose an endpoint,
but we don't want to specify any endpoints since this password being generated is for Saviynt EIC.
02/20/2023 06:32 AM
@rushikeshvartak you just showed the "changepassword" option in user update rule .. the issue is this user import will not have an end point... it's only a connection .. then what end point would I select for "changepassword" ... some detailed answer will really help.
03/14/2023 08:17 AM
@rushikeshvartak @Saathvik
Do we have any update on this?
03/14/2023 11:58 AM
@Uzair You need to build a logic to generate random password in sql instead 'Testing@1234' and map it to usr_password in above SQL query I shared previously, you cannot use ${randompassword} in that query.
Example: SELECT CONCAT(SUBSTRING(firstname, 1,3),SUBSTRING(USERID, 1,3),SUBSTRING(lastname, 1,3),"#",CHAR_LENGTH(firstname),CHAR_LENGTH(USERID),CHAR_LENGTH(firstname))
But I feel it is not the right way to implement it. See if you can achieve using some user update rule or through external jar.