Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Managing OUs in AD using Manage Organizations link in EIC

krecpond
New Contributor III
New Contributor III

‎06/21/2023 08:04 PM - edited ‎06/21/2023 08:07 PM

We have implemented a use case where in when new locations are created in Workday into which users will be hired, corresponding location based OU will be created in AD. This use case is required for local server administrators to administer and support GPOs on the servers in that location. The OUs are to be created based on a location code for each physical location in Workday. This information is provided by HR via email to IAM support team.

This has been implemented by using the form Create New Organization which when filled and submitted triggers a Create Organization type pending task through an Organization Update Rule. When this pending task is processed, EIC creates an OU under the parent OU.

Now, we have a requirement that some location codes could get updated for a given existing physical location. What this means is that from an AD standpoint it is a change to the name of the existing OU. AD natively allows this change on the LDAP attributes "ou" and "name" which in turn reflects on the DN of the OU. However, I am unable to incorporate this use case through EIC for various reasons:

1. If the "Organization Name" on the form is set to the location code, then this attribute is not editable in Saviynt to make subsequent name changes.

2. If the field "Display Name" is used to enter the location code for new OUs to be created and "Organization Name" field is set to a random value, then EIC allows to update the "Display Name". We have an organization update rule for which the trigger action is set to "Updated from UI" to create an "Update Organization Task" on the AD endpoint. The Update Organization task gets generated. But then EIC is attempting to create / update (unclear from the error message) an OU assuming that an OU with the LDAP "name" attribute of the new location code existing in AD and fails with the message "Error in Org creation -javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100245, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=Accounts,OU=accessmgmnt,DC=<<domainname>>,DC=<<companyname>>,DC=com' ]; remaining name 'OU=DOM-DataCredito-86,OU=Accounts,OU=accessmgmnt,DC=<<domainname>>,DC=<<companyname>>,DC=com'. So keeping task status as New"

How can EIC be used to make changes to existing OU names?

Labels:
0 Kudos
1 REPLY 1

khalidakhter
Saviynt Employee
Saviynt Employee

‎06/21/2023 11:52 PM

@krecpond 

Please share the existing update org JSON to check the feasibility.

0 Kudos
Copyright © 2024 Khoros, LLC