Saviynt Forums

fouriefb · ‎09/09/2022

Good day,

This is my first implementation of Saviynt and still learning a lot.

Trying to test provisioning to AD from creating a new user in Saviynt.

Under application onboarding, when setting my AD's Provisioning to automatic, I'm getting a access denied due to XSS error.

Not sure if there is something wrong with one of my JSON's on the connector. Removing my CreateaccountJSON and testing saving again, screen is stuck on loading.

I can consistently re-create this by re-adding the Createaccountjson and then getting the Security Manager message: Access denied due to XSS

Anyone seen something like this before or any idea what's causing this?

Thanks in advance

rushikeshvartak · ‎09/09/2022

Share data/json where you get error when you add it in connection & logs

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

fouriefb · ‎09/12/2022

Hi R,

Below is what we have configured from documentation currently, but giving the security error (XSS error)

Used different Json's also, but once applying auto provisioning, it gets stuck at loading and nothing happens

Kind regards,

Frikkie

avinashchhetri · ‎09/12/2022

Hello @fouriefb,

The Provisioning logs are under the service name "ecm-worker". The logs which you have attached doesn't seem to have any information on the issue/error from the Provisioning run.

Since you have not shared the actual JSON that you have used and only provided a reference to the documentation, based on that, I hope you are substituting the values in it and not using as -is for e.g. using the documentation example <specify company name> coud result in an XSS error.

I would suggest to use a basic JSON to create accounts and then build it from there to use complex logic for your requirements.

Regards,
Avinash Chhetri

fouriefb · ‎09/12/2022

Good day Avinash,

The JSON we actually us is as below.

{
"accountExpires": "0",
"cn": "${cn}",
"co": "${user.country}",
"department": "${user.departmentname}",
"displayname": "${user.displayname}",
"employeeID": "${user.employeeid}",
"employeenumber": "1",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"name": "${user.displayname}",
"physicaldeliveryofficename": "${user.employeeid}",
"manager": "${managerAccount?.accountID}",
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"title": "${user.title}"
}

Creating a user as test, we get the below error under provisioning comments.

Anywhere I can find a basic AD create example JSON?

Thx

F.Fourie

rushikeshvartak · ‎09/13/2022

"cn" : "${cn}",
"givenName" : "${user.firstname}",
"objectclass" : [
"top",
"person",
"organizationalPerson",
"user"
],
"samaccountname" : "${task.accountName}",
"sn" : "${user.lastname}",
"userPrincipalName" : "testuser1234@domain.com"
}

change UPN name accordingly

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

avinashchhetri · ‎09/13/2022

Hello @fouriefb,

Just add the objectClass parameter as mentoned in the document in your JSON: https://saviynt.freshdesk.com/support/solutions/articles/43000615764-active-directory-ad-connector-g...

Also can you share the complete screenshot of the error or the log snippet to show the full error trace ?

Regards,
Avinash Chhetri

rushikeshvartak · ‎09/13/2022

{
"accountExpires": "0",
"cn": "${cn}",
"co": "${user.country}",
"department": "${user.departmentname}",
"displayname": "${user.displayname}",
"employeeID": "${user.employeeid}",
"employeenumber": "1",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"name": "${user.displayname}",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"physicaldeliveryofficename": "${user.employeeid}",
"manager": "${managerAccount?.accountID}",
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"st": "${user.customproperty10}",
"streetAddress": "${user.street}",
"title": "${user.title}"
}

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

fouriefb · ‎09/13/2022

Thank you for the feedback

Still getting error below under Provisioning Comments

Attached logs for the time period when trying to create test.user9

Regards,

Frikkie

rushikeshvartak · ‎09/14/2022

Please attach screenshot of connection

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

fouriefb · ‎09/14/2022

Hi R,

Please find attached as requested.

Many thanks

fouriefb · ‎09/14/2022

Hi R,

I made some changes to accountruleJSON and getting error below:

BASE DN is the same OU which is a valid OU in AD.

The accountnamerulejson as follow:

Any idea what else might be causing this?

avinashchhetri · ‎09/14/2022

Hello @fouriefb,

The account DN created doesnt seem to be in the right format as per the error code.

Do you have examples of any users from that DN that you have imported/reconciled ?

Regards,
Avinash Chhetri

fouriefb · ‎09/14/2022

Hi R,

Thank you for your inputs. Was definitely the DN as changing BaseDN to root domain worked.

Account is created in AD, however my add access remains in Pending Tasks even running WSretry, not adding

avinashchhetri · ‎09/14/2022

Hello @fouriefb,

There is no specific Add Access JSON that you provide in AD Connector.

I would suggest to run the Provisioning Job for the AD, download the logs (under "ecm-worker" service) and start your troubleshooting from there.

Regards,
Avinash Chhetri

fouriefb · ‎09/15/2022

Hi Avinash,

Nothing under ECM-worker when running provisioning job for these tasks.

I found that under the Endpoint for AD there is no Connection Configuration configured. By adding the value as per documentation:

we get an access denied error.

Regards,

rushikeshvartak · ‎09/15/2022

You should go through L100 training which covers AD CONNECTION

Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

fouriefb · ‎09/15/2022

Hi R,

Have actually completed L100, but these more in-depth settings are actually not even touched on.

Very basic creation of Connector, Endpoints etc

Regards,

Saviynt Forums

JSON examples for AD