Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Get Service Account Owner AccountID from Accounts table

AashishD
Regular Contributor II
Regular Contributor II

Hi,

We need to map Service Account Owners of Service accounts in AD under the manager attribute of Active Directory. However, we need to fetch the service account owners DN from their account properties.

Can someone  help what to write in the create account JSON so that the account owners' DN from their accounts property can be fetched and translated back to AD?

12 REPLIES 12

pmahalle
All-Star
All-Star

Hi @AashishD ,

Can you try below expression to get dn of owner from accountid of the user's account.

${if(ownerAccountListMap.size()>0 && allOwnerList.size()>0){ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.accountID:''}else{''}}


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

AashishD
Regular Contributor II
Regular Contributor II

Hi Paddy,

Thank you for the prompt response.

We included the following in our create account json

"manager": "${if(ownerAccountListMap.size()>0 && allOwnerList.size()>0){ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList.get(0)?.userkey.username).get(0)?.accountID:''}else{''}}",

However, we get an error as 

Error while creating account SERTESTUAT2 in AD - No such property: ownerAccountListMap for class: SimpleTemplateScript1781\n","stream":"stdout","time":"2023-07-31T13:17:13.848653689Z"}

Hi @AashishD ,

Are you storing AD account's DN on any of the user's customproperty? If yes use below expression and replace your user's custom property holding DN.

"manager" : "${if((ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.custompropertyXX.toString()}[0])!=null && (ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.custompropertyXX.toString()}[0])!=''){ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.custompropertyXX.toString()}[0]}}"


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

AashishD
Regular Contributor II
Regular Contributor II

Hi Paddy,

We are not storing the user's DN for AD in the users table but in the accounts table as the accountID of the user for the particular endpoint (That is Active Directory) 

AashishD
Regular Contributor II
Regular Contributor II

Hi Paddy,

If this is the only way then how do we map AD DN to Users CP in EIC?

AashishD
Regular Contributor II
Regular Contributor II

Hi,

Any help on this?

Hi @AashishD ,

You can use SAV4SAV to add Active Directory DN into user's CP. I have attached the sample XML which you can use for adding DN from account's accountID to user's CP45. 


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

AashishD
Regular Contributor II
Regular Contributor II

Hi Paddy,

We tried to pull the User's DN from AD into User's EIC via User_Attribute and used the above code :

"manager" : "${if((ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.custompropertyXX.toString()}[0])!=null && (ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.custompropertyXX.toString()}[0])!=''){ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.custompropertyXX.toString()}[0]}}"

 

 

Do you see any issue in this method?

Hi @AashishD ,

You can try below in USER_ATTRIBUTE in order to recon DN in CP45 of user.

[
UPDATEDATE::whenChanged#customDate--yyyyMMddHHmmss.'0Z',
CREATEDATE::whenCreated#customDate--yyyyMMddHHmmss.'0Z',

CUSTOMPROPERTY45::distinguishedName#String,
USERNAME::sAMAccountName#String,
RECONCILATION_FIELD::USERNAME
]

Let me know if it helps.


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

AashishD
Regular Contributor II
Regular Contributor II

The User Attribute Import works fine, but part 2 of the issue is when I create a service account the following code does not set the manager. The same code works while updating a service account.

Am I missing something?

"manager" : "${if((ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.customproperty8.toString()}[0])!=null && (ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.customproperty8.toString()}[0])!=''){ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.customproperty8.toString()}[0]}}"

@AashishD So while creating you are selecting correct user as owner whose customproperty8 have correct DN of active account in AD?


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂

AashishD
Regular Contributor II
Regular Contributor II

Hi Paddy,

I was making some errors in the code.

This works now!

Thanks.