Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Push an attribute to AD based on condition

Bharadwaj319
New Contributor III
New Contributor III

Hi,

We are trying to push email to AD based on value. In case the user's email in Saviynt has XXXX then we will map SSM email to AD mail. We were able to achieve this using the below config.

"mail": "${if((user.email.contains('xxxx.com'))){user.email}}"

But the problem is, if the user email has yyyy.com in SSM, then the above config is clearing the mail attribute in AD as the above config does not handle the else part.

Please note that the source of truth for yyyy.com users is AD and SSM gets the yyyy.com emails from AD. Are there any suggestions to handle the above scenario?

7 REPLIES 7

Sivagami
Valued Contributor
Valued Contributor

Hi there,

If yyy.com is the source of truth, can't you avoid creating update AD account tasks for that domain on the first place through user update rules?

-Siva

Bharadwaj319
New Contributor III
New Contributor III

Hi Siva,

No we will need to push other attribute values to AD from SSM. It is only for email, AD is source for truth.  

@Bharadwaj319,

Not the most elegant of solution but you could use something as shown below to drive your logic.

{
${if(user.email.contains('xxxx.com'))
'"givenname" : “'+user.firstname+'","mail" : "'+user.email+'",'
else '"givenname" : “'+user.firstname+'",'
}
"cn": "${user.displayname}",
"sn": "${user.lastname}"
}

 

 

 

Regards,
Avinash Chhetri

Rajesh-R
Saviynt Employee
Saviynt Employee

Hi there,

There is a configuration in the connections to handle this criteria. 

SUPPORTEMPTYSTRING - Set to TRUE if we need to ignore empty and null values while
provisioning 

If set to TRUE - It ignores the empty and null values and doesnt push them to the target

If set to FALSE - It considers the empty and null values and clears in the target.

By default considers FALSE.

 


Thanks
Rajesh Ramalingam
Saviynt India

Hi Rajesh,

It appears to be other way, if that config is set to TRUE, instead of clearing off the attribute in AD, it is pushing NULL value, which is in line with the Saviynt Documentation.

Bharadwaj319_0-1668571038222.png

So this does not help our purpose.

Regards,

Bharadwaj.

Check if below post helps

https://forums.saviynt.com/t5/identity-governance/dont-provision-a-specific-attribute-if-dynamic-att...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

amit_krishnajit
Saviynt Employee
Saviynt Employee

@Bharadwaj319- Looks like this is a use-case for update account JSON. Could you try using the following expression and let us know if that works for you?

"mail": "${ user?.email?.contains('xxxx.com') ? user.email : account.customproperty10}"

Here account.customproperty10, would be the same customproperty in which you would have mapped the mail attribute from AD in the account attributes for reconciliation.

Thanks,
Amit