Saviynt Forums

Hi @pmahalle ,

Thanks for your help

Two things here,

• That if else logic does not take into account externals.
• I forgot to mention that there are several OUs that a user can't move from, so I was thinking if it's possible something like this:
  • If users.employeeType.equals(‘External’) = OU=external,OU=saviynt,DC=AAA,DC=AAA
  • else if account.customproperty1.contains ‘canmove’ = users.customproperty9
  • else = null or something valid to prevent movement

is it possible to do an else if in the json?

Kind regards,

Ivan

@Ivan5533 If you are storing information like canmove or cantmove in account's/user's customproperty then you can use it in your condition. If it's canmove then push custompropery9 else calculated the existing OU from user's the  existing DN using substring function and push..

@pmahalle That would work, but as I still need to cover 3 use cases
1. users who don't move
2. external users with predefined ou
3. users who move

How can I do it in the same condition? I would appreciate if you can give me an example of an else if included in a userupdatejson?

Kind regards,

Ivan

@Ivan5533 ,

Try below:

"moveUsertoOU": "${if(user.employeeType.equals('External')){'OU=external,OU=saviynt,DC=AAA,DC=AAA'} else if(account.customproperty1.equals('canmove')) {user.customproperty9} else {substring(account.accountid.indexOf(',')+1,account.accountid.length()}}"

Giving that you have DN present in accountid attribute of the account.

I have the dn in the attribute customproperty1, I have adapted it to my environment as follows

"moveUsertoOU": "${if(user.employeeType.equals('Contractor')){'OU=Users,OU=external,OU=saviynt,DC=XX,DC=XX'} else if(account.customproperty1.contains('canmove')) {user.customproperty9} else {substring(account.customproperty1.indexOf('OU'),account.customproperty1.length())}}"

but when I update a user that would fall into the else condition I get the following error

customproperty1 of the account-> CN=ciro kanpel,OU=XX-TEST,OU=Users,OU=AA,OU=BBB,OU=saviynt,DC=XX,DC=XX

Error while Update operation for account-ckanpel in AD - [LDAP: error code 21 - 00000057: LdapErr: DSID-0C091284, comment: Error in attribute conversion operation, data 0, v4563]

Kind regards,

Ivan

"moveUsertoOU": "${if(user.employeeType.equals('Contractor')) {'OU=Users,OU=external,OU=saviynt,DC=XX,DC=XX'} else if(account.customproperty1.contains('canmove')) {user.customproperty9} else {substring(account.customproperty1, account.customproperty1.indexOf('OU'))}}"

Hi Rushikesh,

I have tried with your code and I get the same AD error... even when I use customproperty9 as result. When there is no else if is working correctly, so it is not the customproperty9

Working:

"moveUsertoOU": "${if(user.employeeType.equals('Contractor')) {'OU=Users,OU=external,OU=saviynt,DC=XX,DC=XX'} else {user.customproperty9}}"

Using static values in the else if and else conditions is not working either, e.g.

"moveUsertoOU": "${if(user.employeeType.equals('Contractor')){'OU=Users,OU=external,OU=saviynt,DC=XX,DC=XX'} else if(account.customproperty1.contains('canmove')) {'OU=Users,OU=test2,OU=saviynt,DC=XX,DC=XX'} else 'OU=Users,OU=test1,OU=saviynt,DC=XX,DC=XX' }"

Do you have any idea what it might be?

Kind regards,

Ivan

Hi,

Please could you help me with this case?

Kind regards,

Iván

Could you kindly provide a detailed snapshot of the information extracted from the logs, encompassing errors and other pertinent functionality details encountered during the execution of this process? Your assistance in furnishing this information would greatly aid in the analysis and resolution of any issues .



‼️‼️⚠️Do not upload any attachments that contain sensitive information, such as IP Addresses, URLs, Company/Employee Names, Email Addresses, etc.⚠️‼️‼️

Hi @rushikeshvartak 

The information I see in the logs regarding the error is as follows:

Error while Update operation for account-ckanpel in AD - [LDAP: error code 21 - 00000057: LdapErr: DSID-0C091284, comment: Error in attribute conversion operation, data 0, v4563]

Do you need more detail? do you think I can find in the logs the output of what is being calculated for this field? as I have not been able to find it and I would not like to attach the whole logs because they contain quite a lot of confidential information.

Kind regards,

Iván

• Identify the Attribute Causing the Issue:

  • Review the attributes you are trying to update in AD for the account ckanpel.
  • Check if any of the attributes have values that do not conform to the expected format or type.

• Check for Special Characters:

  • Ensure that the values being updated do not contain any special characters or invalid data that AD cannot process.

• Attribute Format and Constraints:

  • Verify the attribute's schema definition in AD and ensure that the values adhere to the constraints (e.g., string length, data type, permissible characters).

• Review AD Schema and Syntax:

Hello,

All this is the first thing we have validated and is obviated when the only thing we change is the [if, else if, else] by the [if, else] in USERUPDATEJSON, account happens to be created correctly in AD, so it is not an attribute or special character, the only attribute that may be affecting this is moveusertoOU, which, hardcoding with static values with existing OU in the AD is still throwing this problem.

What is solution?