Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Manager has multiple AD accounts - select primary account of manager while user provisioning

saima
New Contributor III
New Contributor III

‎09/05/2024 06:36 AM - edited ‎09/05/2024 07:16 AM

Hi Experts,

We have ADSI connection configured,

Basically user provisioning to AD is based on manager's primary account's DN- 

If a user' s manager has multiple AD primary accounts, how can we get the particular primary account of manager using managerAccount object in createAccount json?

please provide your inputs on this.

 

Labels:
0 Kudos
12 REPLIES 12

NM
Esteemed Contributor
Esteemed Contributor

‎09/05/2024 06:58 AM - edited ‎09/05/2024 06:59 AM

Hi @saima you can't get it directly.. as a workaround you can do for primary account add account type as primary the when you fetch via manager account it should pick that.

Or 2nd option via dynamic attribute.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'
0 Kudos

rushikeshvartak
All-Star
All-Star

‎09/05/2024 07:11 AM


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

saima
New Contributor III
New Contributor III
In response to rushikeshvartak

‎09/05/2024 07:15 AM - edited ‎09/05/2024 07:16 AM

Hi Rushikesh,

We want to get the primary AD account of manager during AD provisioning. Manager has 2-3 normal AD accounts, where saviynt is not able to detect the account to be used for user's provisioning.

As user's provisioning is based on manager's AD account OU.

 

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to saima

‎09/05/2024 07:16 AM

what is attribute to identify its primary account ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

saima
New Contributor III
New Contributor III
In response to rushikeshvartak

‎09/05/2024 07:18 AM - edited ‎09/05/2024 07:18 AM

we don't have a attribute to identify but we have a base OU, can we make use of managerAccount object anyhow? to get the primary account?

0 Kudos

NM
Esteemed Contributor
Esteemed Contributor
In response to saima

‎09/05/2024 07:21 AM

@saima store primary account OU or DN in users manager profile.

If you can't identify you won't be able to get the right value ..

Or use dynamic attribute as stated above.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'
0 Kudos

rushikeshvartak
All-Star
All-Star
In response to saima

‎09/05/2024 07:22 AM

even if we make use of managerAccount , You need identifier to identify which account to use


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

saima
New Contributor III
New Contributor III

‎09/05/2024 07:44 AM

Hi NM and Rushikesh,

If we somehow identify primary account by populating AccountType as Primary, how we can ensure managerAccount will always pick the primary account?

or is there any expression to get the primary account from manager and get it on some random customproperty?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to saima

‎09/05/2024 07:47 AM

You need to write logic based on customproperty where you will store


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

saima
New Contributor III
New Contributor III
In response to rushikeshvartak

‎09/05/2024 07:52 AM

ok also - If we somehow identify primary account by populating AccountType as Primary, how we can ensure managerAccount will always pick the primary account?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to saima

‎09/05/2024 08:01 AM

You can define Account Type = Primary Account under Endpoint

https://forums.saviynt.com/t5/identity-governance/leveraging-primary-account-type-for-users-having-m...


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

stalluri
Valued Contributor II
Valued Contributor II

‎09/05/2024 09:12 AM

@saima 

We are using the Account Type attribute and populating the value for all the primary accounts as Primary. 

Screenshot 2024-09-05 at 11.09.56 AM.png

 Leave it blank for secondary and service accounts

Screenshot 2024-09-05 at 11.10.26 AM.png

 In the Endpoint we will select this as below.

Screenshot 2024-09-05 at 11.09.04 AM.png

At the time of provisioning it will only pick the primary account and provision the user_account.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC