and more in a single search tool across platforms. Read the announcement here. |
02/09/2024 10:55 AM
Hi,
We have a requirement where we need to set deafult group owner for all the groups created from saviynt and the owner is another group not user.
I tried setting managedBy attribute in createUpdateGroupMapping to group value but its not working.
eg."managedBy": "CN=IS-xxx-Manual-Group-Admins,OU=Application,OU=Groups,DC=xxxdev,DC=xxx,DC=edu,DC=au"
It only works when we use below code.
"managedBy": "${allOwnerList?.size()>0 && ownerAccountListMap.size()>0 && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).get(0)?.comments:null}"
Is there any way to hardcode the managedBy attribute in createUpdateGroupMapping json?
Could you please help me with this issue?
Thanks,
Poonam
02/09/2024 11:00 AM
Please confirm ask - You want to set Owner as User Group under Account Owners Tab of Account for Accounts created from Saviynt
02/09/2024 11:04 AM
@rushikeshvartak No, Requirement is that all the groups which are created using Create AD Group tile in saviynt should have managedBy attribute set to CN=IS-xxx-Manual-Group-Admins,OU=Application,OU=Groups,DC=xxxdev,DC=xxx,DC=edu,DC=au.
managedBy attribute only gets set when we use below code.
"managedBy": "${allOwnerList?.size()>0 && ownerAccountListMap.size()>0 && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).get(0)?.comments:null}"
Is there any way to hardcode the managedBy attribute in createUpdateGroupMapping json?
02/09/2024 11:08 AM
Hi @poonammhetre ,
Does AD allows to set group DN in manageby attribute? Can you try for one of the group directly in AD instead of through Saviynt.
02/09/2024 11:08 AM
IF you hardcode are you getting any error ?
02/09/2024 11:15 AM
@pmahalle Yes, it allows to set group value for managedBy attribute in AD.
@rushikeshvartak No it doesnt give any error but is simply skips the managedBy Attribute while group creation. customproperty15 value is set to managedBy attribute.
Below is the log.
Before binding - createUpdateMappings={
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"cn": "${role?.customproperty27}",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"objectCategory": "CN=Group,CN=Schema,CN=Configuration,DC=xxxdev,DC=xxx,DC=edu,DC=au",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"displayName": "${role?.displayname}",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"sAMAccountName": "${role?.customproperty27}",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"description": "${role?.description}",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"objectClass": "group",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"gidNumber": "${Math.addExact(role.id,10000)}",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"name": "${role?.customproperty27}",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"managedBy": "CN=IS-FIM-Manual-Group-Admins,OU=Application,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au"
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--}
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-ownerAccountListMap [:]
2024-02-10T00:10:27+05:30-ecm-worker-services.SaviyntCommonUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-Enter getStandardBindingVariableForGroupManagement
2024-02-10T00:10:27+05:30-ecm-worker-services.SaviyntCommonUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-Enter getStandardBindingVariable
2024-02-10T00:10:27+05:30-ecm-worker-services.SaviyntCommonUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-isGroupManagement : true
2024-02-10T00:10:27+05:30-ecm-worker-services.SaviyntCommonUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-computeStandardBindingVariableForGroupManagement() called
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getAllRoleOwners() method called. roleKey : 31
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-allRoleOwnerCount : 0
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getAllOwnerAccountsMap() method called. roleKey : 31
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getAllOwnerAccountsMap() method completed.
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getAllRankOwnersMap() method called.
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getAllRankOwnersMap() method completed.
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getRankOneOwners() method called.
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getOwnersPerRank() method called. rank : 1
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getOwnersPerRank() method completed.
2024-02-10T00:10:27+05:30-ecm-worker-groupmanagement.GroupManagementService-quartzScheduler_Worker-3-q686p-DEBUG-getEntitlementValuesFromRoles() method called. roleKey : 31
2024-02-10T00:10:27+05:30-ecm-worker-services.SaviyntCommonUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-computeStandardBindingVariableForGroupManagement() completed
2024-02-10T00:10:27+05:30-ecm-worker-services.SaviyntCommonUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-Exit getStandardBindingVariable
2024-02-10T00:10:27+05:30-ecm-worker-services.SaviyntCommonUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-Exit getStandardBindingVariableForGroupManagement
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-After binding - createUpdateMappings={
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"cn": "PMT2",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"objectCategory": "CN=Group,CN=Schema,CN=Configuration,DC=uniwadev,DC=uwa,DC=edu,DC=au",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"displayName": "null",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"sAMAccountName": "PMT2",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"description": "null",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"objectClass": "group",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"gidNumber": "10031",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"name": "PMT2",
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--"managedBy": "CN=IS-FIM-Manual-Group-Admins,OU=Application,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au"
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--}
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-This is after asserting it for 1st time
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-
2024-02-10T00:10:28+05:30-ecm-worker--null-q686p--attrs=[sAMAccountName:PMT2, objectClass:group, name:PMT2, cn:PMT2, gidNumber:10031, objectCategory:CN=Group,CN=Schema,CN=Configuration,DC=uniwadev,DC=uwa,DC=edu,DC=au]
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-GROUP CREATION IN AD: true
2024-02-10T00:10:27+05:30-ecm-worker-services.ImportUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-EntitlementType 'memberOf' for Endpoint 'UNIWADEV' found with EntitlementTypekey - 23
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-groupImportMappingObj : memberHash:member_char,customproperty1:sAMAccountType_char,customproperty2:memberOf_char,customproperty8:instanceType_char, customproperty3:uSNCreated_char,customproperty4:groupType_char,customproperty5:dSCorePropagationData_char,customproperty12:dn_char, customproperty13:cn_char,lastscandate:whenCreated_date,customproperty15:managedBy_char,entitlement_glossary:description_char,customproperty9:name_char, customproperty10:objectCategory_char,customproperty11:sAMAccountName_char,customproperty14:objectClass_char,status:isCriticalSystemObject_char, entitlement_value:distinguishedName_char,entitlementid:objectGUID_Binary,customproperty17:distinguishedName_char,updatedate:whenChanged_date, RECONCILATION_FIELD:entitlementid
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-adToGroupsMap: [customproperty4:groupType_char, customproperty10:objectCategory_char, customproperty5:dSCorePropagationData_char, customproperty2:memberOf_char, customproperty12:dn_char, customproperty3:uSNCreated_char, customproperty11:sAMAccountName_char, customproperty1:sAMAccountType_char, entitlementid:objectGUID_Binary, customproperty17:distinguishedName_char, customproperty14:objectClass_char, customproperty13:cn_char, lastscandate:whenCreated_date, customproperty15:managedBy_char, entitlement_glossary:description_char, memberhash:member_char, updatedate:whenChanged_date, customproperty8:instanceType_char, entitlement_value:distinguishedName_char, customproperty9:name_char, status:isCriticalSystemObject_char]
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Attributes to be returned from LDAP - [member, samaccounttype, whenchanged, memberof, instancetype, usncreated, grouptype, dscorepropagationdata, distinguishedname, cn, whencreated, managedby, description, name, objectcategory, samaccountname, objectsid, dn, objectguid, objectclass, memberuid, displayName, nisnetgrouptriple, "memberof", "true", "false", "whenchanged", "(objectclass=group)", "managedby", "comments", iscriticalsystemobject]
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Enter getLDAPContext
2024-02-10T00:10:27+05:30-ecm-worker-services.HttpClientUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-calling executeRequestWithTimeoutConfig for api...
2024-02-10T00:10:27+05:30-ecm-worker-services.HttpClientUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-calling api...
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Enter acquireLDAPContext
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Setting default timeout
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Env Properties in IMPORTJSON: null
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-enable_dclocator = false
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Exit getLDAPContext
2024-02-10T00:10:27+05:30-ecm-worker-services.HttpClientUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-called api...
2024-02-10T00:10:27+05:30-ecm-worker-services.HttpClientUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-timeout validated for api...
2024-02-10T00:10:27+05:30-ecm-worker-services.HttpClientUtilityService-quartzScheduler_Worker-3-q686p-DEBUG-got response for api...
2024-02-10T00:10:27+05:30-ecm-worker-ldap.SaviyntGroovyLdapService-quartzScheduler_Worker-3-q686p-DEBUG-entValueDetailMap= [CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au;:;23:[groupType:-2147483646, whenCreated:20240209184027.0Z, sAMAccountName:PMT2, instanceType:4, objectClass:"top","group", distinguishedName:CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au, dn:CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au, cn:PMT2, whenChanged:20240209184027.0Z, sAMAccountType:268435456, name:PMT2, objectGUID:09d7c8cc-18af-446c-822a-ca6383a92a3c, dSCorePropagationData:16010101000000.0Z, objectSid:S-1-5-21-2630746804-3755593408-721973210-502343, uSNCreated:54991076, nameinnamespace:CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au, objectCategory:CN=Group,CN=Schema,CN=Configuration,DC=uniwadev,DC=uwa,DC=edu,DC=au]]
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Importing Entitlement_values
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Pre-validation Entitlement RECONCILATION_FIELD: null
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Post-validation Entitlement RECONCILATION_FIELD: entitlement_value
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-ent reconcilationADAttribute= entitlement_value
2024-02-10T00:10:27+05:30-ecm-worker-services.AdImportService-quartzScheduler_Worker-3-q686p-DEBUG-Query to insert/update into ENTITLEMENT_VALUES: INSERT INTO ENTITLEMENT_VALUES SET ORPHAN=0,SOX_CRITICAL=0,SYS_CRITICAL=0,JOB_ID=113924,customproperty4='-2147483646',customproperty10='CN=Group,CN=Schema,CN=Configuration,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty5='16010101000000.0Z',customproperty2=null,customproperty12='CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty3='54991076',customproperty11='PMT2',customproperty1='268435456',entitlementid='09d7c8cc-18af-446c-822a-ca6383a92a3c',customproperty17='CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty14='"top","group"',customproperty13='PMT2',lastscandate='2024-02-09 18:40:27',customproperty15=null,entitlement_glossary=null,updatedate='2024-02-09 18:40:27',customproperty8='4',entitlement_value='CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty9='PMT2',status=1,ENTITLEMENTTYPEKEY=23 on duplicate key update JOB_ID=113924 ,customproperty4='-2147483646',customproperty10='CN=Group,CN=Schema,CN=Configuration,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty5='16010101000000.0Z',customproperty2=null,customproperty12='CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty3='54991076',customproperty11='PMT2',customproperty1='268435456',entitlementid='09d7c8cc-18af-446c-822a-ca6383a92a3c',customproperty17='CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty14='"top","group"',customproperty13='PMT2',lastscandate='2024-02-09 18:40:27',customproperty15=null,entitlement_glossary=null,updatedate='2024-02-09 18:40:27',customproperty8='4',entitlement_value='CN=PMT2,OU=Groups,DC=uniwadev,DC=uwa,DC=edu,DC=au',customproperty9='PMT2',status=1
02/12/2024 12:28 AM
@rushikeshvartak @pmahalle do you have any pointers on this issue?
02/12/2024 12:36 AM
Hi @poonammhetre ,
Are you importing entitlement/group owner when you are reconciling the accesses/group from AD? Cn you share groupimportmapping of your AD?
02/12/2024 12:41 AM
@pmahalle Yes. we are importing owner. Please find below JSON.
{
"entitlementTypeName": "memberOf",
"importGroupHierarchy": "true",
"performGroupAccountLinking": "true",
"importnestedmembershipoutofscope": "false",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"entitlementOwnerAttribute": "managedBy",
"tableFieldAttribute": "comments",
"mapping": "memberHash:member_char,customproperty1:sAMAccountType_char,customproperty2:memberOf_char,customproperty8:instanceType_char, customproperty3:uSNCreated_char,customproperty4:groupType_char,customproperty5:dSCorePropagationData_char,customproperty12:dn_char, customproperty13:cn_char,lastscandate:whenCreated_date,customproperty15:managedBy_char,entitlement_glossary:description_char,customproperty9:name_char, customproperty10:objectCategory_char,customproperty11:sAMAccountName_char,customproperty14:objectClass_char,status:isCriticalSystemObject_char, entitlement_value:distinguishedName_char,entitlementid:objectGUID_Binary,customproperty17:distinguishedName_char,updatedate:whenChanged_date, RECONCILATION_FIELD:entitlementid"
}
02/12/2024 12:44 AM
Can you try your use case by removing entitlementOwnerAttribute and tableFieldAttribute from groupimportmapping json highlighted below once and provide the observation.
{
"entitlementTypeName": "memberOf",
"importGroupHierarchy": "true",
"performGroupAccountLinking": "true",
"importnestedmembershipoutofscope": "false",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"entitlementOwnerAttribute": "managedBy",
"tableFieldAttribute": "comments",
"mapping": "memberHash:member_char,customproperty1:sAMAccountType_char,customproperty2:memberOf_char,customproperty8:instanceType_char, customproperty3:uSNCreated_char,customproperty4:groupType_char,customproperty5:dSCorePropagationData_char,customproperty12:dn_char, customproperty13:cn_char,lastscandate:whenCreated_date,customproperty15:managedBy_char,entitlement_glossary:description_char,customproperty9:name_char, customproperty10:objectCategory_char,customproperty11:sAMAccountName_char,customproperty14:objectClass_char,status:isCriticalSystemObject_char, entitlement_value:distinguishedName_char,entitlementid:objectGUID_Binary,customproperty17:distinguishedName_char,updatedate:whenChanged_date, RECONCILATION_FIELD:entitlementid"
}
02/12/2024 01:02 AM
@pmahalle As suggested I removed the owner mapping from JSON and tested but it is giving the same result. mangedBy attribute is not updated.
Are there any changes in latest release? we are currently on 24.1 . I recall it was working as expected in old release 2021. also in this forum post user mentioned that it waa possible to hard code the managedBy attribute. (version 23.1)
Solved: AD Group Management : Group Owner in createUpdateM... - Saviynt Forums - 33417
Thanks,
Poonam
02/12/2024 01:26 AM
You mean it was working for you in version 2021?
In Saviynt when we create AD group with user as an owner, managedBy attribute set in AD with that user's DN and at the same time same user set as an owner of that entitlement/group. But here in your case part1 is possible but part2 where we set owner for entitlement in Saviynt would not be possible since it is group and not user in Saviynt, I think that could be the issue.
02/12/2024 01:34 AM
You mean it was working for you in version 2021?
==> Yes, It was working in 2021 where we can set users DN in managedBy Attribute. Issue is that now , on latest version, even we are not able to hardcode userDN value for managedBy attribute.
managedBy attribute only gets updated in AD when owner is selected from UI while group creation and if we use below code in createUpdateGroup Mappings.
${allOwnerList?.size()>0 && ownerAccountListMap.size()>0 && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username)!=null && ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).size()>0?ownerAccountListMap.get(allOwnerList?.get(0)?.userkey.username).get(0)?.comments:""}
Somehow I suspect that saviynt is not supported any hardcoded value in managedBy attribute which was working in earlier releases.
Thanks,
Poonam
Poonam
02/12/2024 02:17 AM
What's your actual issue
1. You are not able set hardcoded user manager DN in managedBy attribute? or
2. You are not able to set group DN value in managedBy for some other AD group?
02/12/2024 02:23 AM
@pmahalle Actual issue is that I am not able to set hardcoded value for managedBy attribute weather it is user or group.
Ultimate goal is to set default owner as group but since it was not working with group value , I tested with user (account DN ) and found out it is not working either.
Thanks,
Poonam
02/12/2024 03:35 AM
@pmahalle After doing some testing, I found that managedBy attribute gets updated only when we select the owner from UI.
1) I hardcoded the group value for managedBy attribute in createUpdateMapping.
2) Selected the group owner as random user from UI while group creation.
Group got created with managedBy hardcoded value.
It means hardcoded value will be updated but for that you need to first select the owner from UI which is not correct. It looks like saviynt bug.
Thanks,
Poonam