Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Manager has multiple AD accounts - select primary account of manager while user provisioning

saima
New Contributor III
New Contributor III

Hi Experts,

We have ADSI connection configured,

Basically user provisioning to AD is based on manager's primary account's DN- 

If a user' s manager has multiple AD primary accounts, how can we get the particular primary account of manager using managerAccount object in createAccount json?

please provide your inputs on this.

 

12 REPLIES 12

NM
Esteemed Contributor
Esteemed Contributor

Hi @saima you can't get it directly.. as a workaround you can do for primary account add account type as primary the when you fetch via manager account it should pick that.

Or 2nd option via dynamic attribute.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

rushikeshvartak
All-Star
All-Star

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Hi Rushikesh,

We want to get the primary AD account of manager during AD provisioning. Manager has 2-3 normal AD accounts, where saviynt is not able to detect the account to be used for user's provisioning.

As user's provisioning is based on manager's AD account OU.

 

what is attribute to identify its primary account ?


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

we don't have a attribute to identify but we have a base OU, can we make use of managerAccount object anyhow? to get the primary account?

NM
Esteemed Contributor
Esteemed Contributor

@saima store primary account OU or DN in users manager profile.

If you can't identify you won't be able to get the right value ..

Or use dynamic attribute as stated above.


If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

even if we make use of managerAccount , You need identifier to identify which account to use


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

saima
New Contributor III
New Contributor III

Hi NM and Rushikesh,

If we somehow identify primary account by populating AccountType as Primary, how we can ensure managerAccount will always pick the primary account?

or is there any expression to get the primary account from manager and get it on some random customproperty?

You need to write logic based on customproperty where you will store


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

ok also - If we somehow identify primary account by populating AccountType as Primary, how we can ensure managerAccount will always pick the primary account?

You can define Account Type = Primary Account under Endpoint

https://forums.saviynt.com/t5/identity-governance/leveraging-primary-account-type-for-users-having-m...


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

stalluri
Valued Contributor II
Valued Contributor II

@saima 

We are using the Account Type attribute and populating the value for all the primary accounts as Primary. 

Screenshot 2024-09-05 at 11.09.56 AM.png

 Leave it blank for secondary and service accounts

Screenshot 2024-09-05 at 11.10.26 AM.png

 In the Endpoint we will select this as below.

Screenshot 2024-09-05 at 11.09.04 AM.png

At the time of provisioning it will only pick the primary account and provision the user_account.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.