Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/09/2022 04:29 AM
Good day,
This is my first implementation of Saviynt and still learning a lot.
Trying to test provisioning to AD from creating a new user in Saviynt.
Under application onboarding, when setting my AD's Provisioning to automatic, I'm getting a access denied due to XSS error.
Not sure if there is something wrong with one of my JSON's on the connector. Removing my CreateaccountJSON and testing saving again, screen is stuck on loading.
I can consistently re-create this by re-adding the Createaccountjson and then getting the Security Manager message: Access denied due to XSS
Anyone seen something like this before or any idea what's causing this?
Thanks in advance
Solved! Go to Solution.
09/09/2022 05:26 AM
Share data/json where you get error when you add it in connection & logs
09/12/2022 12:35 AM
09/12/2022 07:14 AM
Hello @fouriefb,
The Provisioning logs are under the service name "ecm-worker". The logs which you have attached doesn't seem to have any information on the issue/error from the Provisioning run.
Since you have not shared the actual JSON that you have used and only provided a reference to the documentation, based on that, I hope you are substituting the values in it and not using as -is for e.g. using the documentation example <specify company name> coud result in an XSS error.
I would suggest to use a basic JSON to create accounts and then build it from there to use complex logic for your requirements.
09/12/2022 11:49 PM
Good day Avinash,
The JSON we actually us is as below.
{
"accountExpires": "0",
"cn": "${cn}",
"co": "${user.country}",
"department": "${user.departmentname}",
"displayname": "${user.displayname}",
"employeeID": "${user.employeeid}",
"employeenumber": "1",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"name": "${user.displayname}",
"physicaldeliveryofficename": "${user.employeeid}",
"manager": "${managerAccount?.accountID}",
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"title": "${user.title}"
}
Creating a user as test, we get the below error under provisioning comments.
Anywhere I can find a basic AD create example JSON?
Thx
F.Fourie
09/13/2022 03:58 AM
"cn" : "${cn}",
"givenName" : "${user.firstname}",
"objectclass" : [
"top",
"person",
"organizationalPerson",
"user"
],
"samaccountname" : "${task.accountName}",
"sn" : "${user.lastname}",
"userPrincipalName" : "testuser1234@domain.com"
}
change UPN name accordingly
09/13/2022 06:50 AM
Hello @fouriefb,
Just add the objectClass parameter as mentoned in the document in your JSON: https://saviynt.freshdesk.com/support/solutions/articles/43000615764-active-directory-ad-connector-g...
Also can you share the complete screenshot of the error or the log snippet to show the full error trace ?
09/13/2022 07:45 AM
{
"accountExpires": "0",
"cn": "${cn}",
"co": "${user.country}",
"department": "${user.departmentname}",
"displayname": "${user.displayname}",
"employeeID": "${user.employeeid}",
"employeenumber": "1",
"employeetype": "${user.employeeType}",
"givenName": "${user.firstname}",
"l": "${user.city}",
"mail": "${user.email}",
"name": "${user.displayname}",
"objectClass": [
"top",
"person",
"organizationalPerson",
"user"
],
"physicaldeliveryofficename": "${user.employeeid}",
"manager": "${managerAccount?.accountID}",
"pwdLastSet": "0",
"sAMAccountName": "${task.accountName}",
"sn": "${user.lastname}",
"st": "${user.customproperty10}",
"streetAddress": "${user.street}",
"title": "${user.title}"
}
09/13/2022 11:41 PM
09/14/2022 03:44 AM
Please attach screenshot of connection
09/14/2022 04:25 AM
09/14/2022 07:54 AM
Hi R,
I made some changes to accountruleJSON and getting error below:
BASE DN is the same OU which is a valid OU in AD.
The accountnamerulejson as follow:
Any idea what else might be causing this?
09/14/2022 08:07 AM - edited 09/14/2022 08:08 AM
Hello @fouriefb,
The account DN created doesnt seem to be in the right format as per the error code.
Do you have examples of any users from that DN that you have imported/reconciled ?
09/14/2022 09:50 AM
Hi R,
Thank you for your inputs. Was definitely the DN as changing BaseDN to root domain worked.
Account is created in AD, however my add access remains in Pending Tasks even running WSretry, not adding
09/14/2022 11:21 AM
Hello @fouriefb,
There is no specific Add Access JSON that you provide in AD Connector.
I would suggest to run the Provisioning Job for the AD, download the logs (under "ecm-worker" service) and start your troubleshooting from there.
09/15/2022 03:25 AM
Hi Avinash,
Nothing under ECM-worker when running provisioning job for these tasks.
I found that under the Endpoint for AD there is no Connection Configuration configured. By adding the value as per documentation:
<conf><ADDMEMBERTOENT>TRUE</ADDMEMBERTOENT><ADDUSERTOENT>TRUE</ADDUSERTOENT></conf>
we get an access denied error.
Regards,
09/15/2022 04:21 AM
You should go through L100 training which covers AD CONNECTION
09/15/2022 05:55 AM
Hi R,
Have actually completed L100, but these more in-depth settings are actually not even touched on.
Very basic creation of Connector, Endpoints etc
Regards,