Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Prevent a user from moving from OU in AD after an attribute update

Ivan5533
Regular Contributor
Regular Contributor

‎06/10/2024 01:22 AM

Hello,

We have a use case where we import existing ad accounts and correlate them with the user. After importing these accounts and correlating them with their respective user, if the user receives any change in an attribute, the user update rules trigger and update these attributes in the ad account, even, depending on the attribute (if it is a location related one) the account is moved from one OU to another.

The problem we are having is that for certain users we have to prevent them from moving from OU, currently the UPDATEACCOUNTJSON contains

"moveUsertoOU": "${if(user.employeeType.equals('External')){'OU=external,OU=saviynt,DC=AAA,DC=AAA'} else {user.customproperty9}}"

*customproperty9 contains an OU for other users calculated with inline preprocessor

Could you give me an example of logic added to the configuration we already have so that users who have an ad account that belongs to the OU ‘OU=cantmove,OU=saviynt,DC=AAA,DC=AAA’ are not moved from OU?


In brief,

External users will be moved to OU=external,OU=saviynt,DC=AAA,DC=AAA

Users who have an account in the OU "OU=cantmove,OU=saviynt,DC=AAA,DC=AAA,DC=AAA" will not be moved.

All other users move to the OU contained in customproperty9.

Thank you

0 Kudos
7 REPLIES 7

pmahalle
All-Star
All-Star

‎06/10/2024 01:41 AM

@Ivan5533 ,

Try below in your update account json. In case you are storing DN in other attribute than accountid the replace accountid (mark is bold) with that attribute name.

"moveUsertoOU": "${account.accountid.contains('OU=cantmove,OU=saviynt,DC=AAA,DC=AAA,DC=AAA') ? 'OU=cantmove,OU=saviynt,DC=AAA,DC=AAA,DC=AAA' : user.customproperty9}"


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂
0 Kudos

Ivan5533
Regular Contributor
Regular Contributor
In response to pmahalle

‎06/10/2024 01:59 AM

Hi @pmahalle ,

Thanks for your help

Two things here,

  • That if else logic does not take into account externals.
  • I forgot to mention that there are several OUs that a user can't move from, so I was thinking if it's possible something like this:
    • If users.employeeType.equals(‘External’) = OU=external,OU=saviynt,DC=AAA,DC=AAA
    • else if account.customproperty1.contains ‘canmove’ = users.customproperty9
    • else = null or something valid to prevent movement

is it possible to do an else if in the json?

Kind regards,

Ivan

0 Kudos

pmahalle
All-Star
All-Star
In response to Ivan5533

‎06/10/2024 02:19 AM

@Ivan5533 If you are storing information like canmove or cantmove in account's/user's customproperty then you can use it in your condition. If it's canmove then push custompropery9 else calculated the existing OU from user's the  existing DN using substring function and push..


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂
0 Kudos

Ivan5533
Regular Contributor
Regular Contributor
In response to pmahalle

‎06/10/2024 02:27 AM

@pmahalle That would work, but as I still need to cover 3 use cases
1. users who don't move
2. external users with predefined ou
3. users who move

How can I do it in the same condition? I would appreciate if you can give me an example of an else if included in a userupdatejson?

Kind regards,

Ivan

0 Kudos

pmahalle
All-Star
All-Star
In response to Ivan5533

‎06/10/2024 03:12 AM - edited ‎06/10/2024 03:13 AM

@Ivan5533 ,

Try below:

"moveUsertoOU": "${if(user.employeeType.equals('External')){'OU=external,OU=saviynt,DC=AAA,DC=AAA'} else if(account.customproperty1.equals('canmove')) {user.customproperty9} else {substring(account.accountid.indexOf(',')+1,account.accountid.length()}}"

Giving that you have DN present in accountid attribute of the account.


Pandharinath Mahalle(Paddy)
If this reply helps your question, please consider selecting Accept As Solution and hit Kudos 🙂
0 Kudos

Ivan5533
Regular Contributor
Regular Contributor
In response to pmahalle

‎06/11/2024 06:44 AM

I have the dn in the attribute customproperty1, I have adapted it to my environment as follows

"moveUsertoOU": "${if(user.employeeType.equals('Contractor')){'OU=Users,OU=external,OU=saviynt,DC=XX,DC=XX'} else if(account.customproperty1.contains('canmove')) {user.customproperty9} else {substring(account.customproperty1.indexOf('OU'),account.customproperty1.length())}}"

but when I update a user that would fall into the else condition I get the following error

customproperty1 of the account-> CN=ciro kanpel,OU=XX-TEST,OU=Users,OU=AA,OU=BBB,OU=saviynt,DC=XX,DC=XX

Error while Update operation for account-ckanpel in AD - [LDAP: error code 21 - 00000057: LdapErr: DSID-0C091284, comment: Error in attribute conversion operation, data 0, v4563]

Kind regards,

Ivan

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to Ivan5533

‎06/13/2024 10:48 PM

"moveUsertoOU": "${if(user.employeeType.equals('Contractor')) {'OU=Users,OU=external,OU=saviynt,DC=XX,DC=XX'} else if(account.customproperty1.contains('canmove')) {user.customproperty9} else {substring(account.customproperty1, account.customproperty1.indexOf('OU'))}}"


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.
0 Kudos
Copyright © 2024 Khoros, LLC