Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Generate random password for specific users via UserImport on DB connection

Uzair
New Contributor
New Contributor

 

The solution should be able to generate random password for specific users (Eg: Username starting with 'ABC') when a user is added via userimport over DB connection
and notify them over email with their username and password (randomly generated by Saviynt) so that they are able to logon to Saviynt EIC
This solution does not have SSO.

We have created a Password Policy for the same and set the scope as 'user' and have an user update rule that will check the
condition if username starts with 'ABC' and take action - Notify as an email

In the email template, when we are using '${user.password}' it is sending the same password 'NO_PASSWORD' to the users

How do we achieve this task?

 

17 REPLIES 17

Saathvik
All-Star
All-Star

Use ${randompassword} for users whose username starts with 'ABC' since you are autogenerating.

Also I hope you already handled the logic in import when username starts with 'ABC' auto generate password instead of you assign the default password


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Uzair
New Contributor
New Contributor

How do we assign random autogenerate password in import logic and where do we assign it ?

I thought you are already assigning random password as part of User Import. Because by default saviynt doesn't require password to create/import users so all users will not have any password by default unless you mapping them as part of your import. Please share your USERIMPORT XML


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

Uzair
New Contributor
New Contributor

This is the UserImport XML we are using, Please let us know if we need to add any specific import settings, Thanks.

<dataMapping>
    <sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
        <![CDATA[Select USERID as username,firstname, lastname from db2db where USERID LIKE 'ABC%';
    ]]>
    </sql-query>
    <importsettings>
        <zeroDayProvisioning>true</zeroDayProvisioning> 
        <generateEmail>false</generateEmail>
        <userNotInFileAction>NOACTION</userNotInFileAction> 
        <checkRules>true</checkRules>
        <buildUserMap>true</buildUserMap>
        <generateSystemUsername>false</generateSystemUsername>
        <userReconcillationField>username</userReconcillationField>
    </importsettings>
    <mapper description="This is the mapping field for Saviynt Field name">
        <mapfield saviyntproperty="username" sourceproperty="username" type="character"></mapfield>
        <mapfield saviyntproperty="firstname" sourceproperty="firstname" type="number"></mapfield>
        <mapfield saviyntproperty="lastname" sourceproperty="lastname" type="character"></mapfield>
    </mapper>
</dataMapping>

I have personally not tried this but just want to give it a try.

Try to map password attribute and see if you are getting same value in email then you can think about implementing random password.

<dataMapping>
    <sql-query description="This is the Source DB Query" uniquecolumnsascommaseparated="username">
        <![CDATA[Select USERID as username,firstname, lastname, 'Testing@1234' as usr_password from db2db where USERID LIKE 'ABC%';
    ]]>
    </sql-query>
    <importsettings>
        <zeroDayProvisioning>true</zeroDayProvisioning> 
        <generateEmail>false</generateEmail>
        <userNotInFileAction>NOACTION</userNotInFileAction> 
        <checkRules>true</checkRules>
        <buildUserMap>true</buildUserMap>
        <generateSystemUsername>false</generateSystemUsername>
        <userReconcillationField>username</userReconcillationField>
    </importsettings>
    <mapper description="This is the mapping field for Saviynt Field name">
        <mapfield saviyntproperty="username" sourceproperty="username" type="character"></mapfield>
        <mapfield saviyntproperty="firstname" sourceproperty="firstname" type="number"></mapfield>
        <mapfield saviyntproperty="lastname" sourceproperty="lastname" type="character"></mapfield>
        <mapfield saviyntproperty="password" sourceproperty="usr_password" type="character"></mapfield>
    </mapper>
</dataMapping>

And use ${user.password} as variable for password in email template


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

This will be security breach/audit concern don't use this method


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Tried it for the purpose of testing, it sends out an encrypted password,
and when we use '${randomPassword}' in the email template, the email isn't getting sent.
How can we overcome this?

Uzair
New Contributor
New Contributor

Was able to login with password 'Test@123',
But how do we generate a random password and send it across in email?
${randomPassword} in UserImportJSON and EmailTemplate doesn't yield any results 

rushikeshvartak
All-Star
All-Star

Use techical birth right rules


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Please can you share an example of the Action ?

You can try change password


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Please can you elaborate on this as we don't have 'Change Password' under Technical rules ?

User Update Rule*

rushikeshvartak_0-1676890137643.png

 


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

The next step here after choosing 'Change Password' prompts us to choose an endpoint,
but we don't want to specify any endpoints since this password being generated is for Saviynt EIC. 

abhiupadhyay
New Contributor III
New Contributor III

@rushikeshvartak  you just showed the "changepassword" option in user update rule .. the issue is this user import will not have an end point... it's only a connection .. then what end point would I select for "changepassword" ... some detailed answer will really help. 

Uzair
New Contributor
New Contributor

@rushikeshvartak @Saathvik 
Do we have any update on this?

 

@Uzair You need to build a logic to generate random password in sql instead 'Testing@1234' and map it to usr_password  in above SQL query I shared previously, you cannot use ${randompassword} in that query.

Example: SELECT CONCAT(SUBSTRING(firstname, 1,3),SUBSTRING(USERID, 1,3),SUBSTRING(lastname, 1,3),"#",CHAR_LENGTH(firstname),CHAR_LENGTH(USERID),CHAR_LENGTH(firstname))

But I feel it is not the right way to implement it. See if you can achieve using some user update rule or through external jar.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.