Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Identity Lifecycle Management of Regular and Admin AD Account within a single Endpoint

Go to solution
Jordan
New Contributor II
New Contributor II

‎04/25/2023 07:50 AM - edited ‎04/25/2023 07:53 AM

Hello, I am working on a use case where we are integrated with our HR system for ILM to AD for our regular accounts. We also want to join up our Admin accounts and do specific ILM tasks like update account attributes when attribute updates come in from HR and also terminate the Admin account when the user is terminated from HR. If I join up the Admin account and an attribute update comes through a task gets created to update both accounts. However, in the AD connector I want to only update specific attributes of the Regular AD account and specific attributes of the Admin AD account.

I have tried using the account.accounttype in the connector logic to only set an attribute if the accounttype is Admin, but that returns an error like below:

 

Logic   
"employeeType": "${(ServiceAccountOwnerMap.get('ServiceAccountType') == 'Service Account')?'Service Account':account?.accounttype=='Admin'?'Admin':user?.employeeType==null?user?.customproperty30:user?.employeeType}"
 
Error
Error while Update operation for account-smithj0220 in AD - No such property: accounttype for class: java.lang.String
 
Is it even possible to manage multiple AD accounts joined to the same user like this or does this require setting up a separate Security System / Endpoint for the AD Admin account?
0 Kudos
4 REPLIES 4

Go to solution
SB
Saviynt Employee
Saviynt Employee

‎05/02/2023 11:30 AM

Can you try with accountType instead of accounttype.


Regards,
Sahil

Go to solution
rushikeshvartak
All-Star
All-Star

‎05/02/2023 11:41 AM

"employeeType": "${(ServiceAccountOwnerMap.get('ServiceAccountType') == 'Service Account')?'Service Account':account?.accountType=='Admin'?'Admin':user?.employeeType==null?user?.customproperty30:user?.employeeType}"


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos

Go to solution
Jordan
New Contributor II
New Contributor II

‎05/02/2023 01:37 PM

Thank you for the responses. I tried using accountType instead, but receive the same error message. I found somewhere else in the Saviynt Forum that the only thing available on the account object is account name and none of the other attributes. I was able to get this to work by checking if the task.accountName==user.customproperty28, where we are storing the admin account name in user.customproperty28.

Logic

"employeeType": "${(ServiceAccountOwnerMap.get('ServiceAccountType') == 'Service Account')?'Service Account':task.accountName==user.customproperty28?'Admin':user?.employeeType}"
0 Kudos

Go to solution
Jordan
New Contributor II
New Contributor II

‎05/02/2023 02:33 PM

I was also able to get the below to work referencing the task.accountKey.accounttype. Referencing the account type this way is working in my AD connector.

Logic

"employeeType": "${(ServiceAccountOwnerMap.get('ServiceAccountType') == 'Service Account')?'Service Account':task.accountKey.accounttype=='Admin'?'Admin':user?.employeeType}"

Copyright © 2024 Khoros, LLC