and more in a single search tool across platforms. Read the announcement here. |
05/09/2023 11:02 PM
Hello,
@avinashchhetri @sahajranajee @amit_krishnajit @rushikeshvartak
We are using Service Now to call Saviynt APIs to create Service Accounts. The Create Account task is getting generated and is also getting completed by running the WSRETRY job. Service Account gets created in both Saviynt as well as Active Directory
But, we also have a requirement to update the owner of Service Account in Active Directory specifically in the manager field. manager field in AD only accepts complete distinguishedName of the user.
In the payload which we are using in Saviynt API call, we are passing the employeeID of the user but we cannot pass that straightaway into the manager field of Active Directory because that wont work.
We have the distinguishedName of a user's AD account stored in customproperty3 attribute of the AD account attributes in Saviynt. So, we are using the below syntax to fetch that and pass that to manager.
"manager": "${def g=com.saviynt.ecm.identitywarehouse.domain.User_accounts.findAllWhere([userkey: ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.id.toString()}[0]]).collect{com.saviynt.ecm.identitywarehouse.domain.Accounts.findWhere([id:it.accountkey])}.findAll{it.endpointkey.id==3L&&(it.status.equalsIgnoreCase('Active')||it.status.equalsIgnoreCase('1'))};if(g!=null&&!g.isEmpty()){g[0].customproperty3}}"
But, the above syntax throws the following error in logs :
"ecm-worker","2023-05-10T04:34:28.313+00:00","2023-05-10T04:34:27.465782935Z stdout F java.lang.Exception: Template contains string which are not allowed com.saviynt."
Request your assistance here.
Best Regards,
Varun
05/10/2023 05:55 AM
Hello
Could you please try with this one :
manager: "${def g=com.saviynt.ecm.identitywarehouse.domain.User_accounts.findAllWhere([userkey: ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.id.toString()}[0]]).collect{com.saviynt.ecm.identitywarehouse.domain.Accounts.findWhere([id:it.accountkey])}.findAll{it.endpointkey.id==3L&&(it.status.equalsIgnoreCase('Active')||it.status.equalsIgnoreCase('1'))};if(g!=null&&!g.isEmpty()){g[0]['customproperty3']}"
Regards
Harouna
05/10/2023 06:21 AM
Hello @Hsoumare ,
The only difference in the syntax which I was using vs the one shared by you is :
My syntax : g[0].customproperty3
The one shared by you : g[0]['customproperty3']
But the error which is getting thrown is :
"ecm-worker","2023-05-10T04:34:28.313+00:00","2023-05-10T04:34:27.465782935Z stdout F java.lang.Exception: Template contains string which are not allowed com.saviynt."
Apparently, Saviynt is not allowing the usage of com.saviynt itself. Please correct me if wrong.
Best Regards,
Varun
05/10/2023 06:26 AM
@Hsoumare - I tried with the syntax shared by you. Again got the same error.
Best Regards,
Varun
05/10/2023 06:27 AM
Hi Varun,
Yes, think its restricted from Saviynt, therefore i suggest to stor the account attribute directly on the identity customproperty using the USER_ATTRIBUTE section on the AD connector.
Regards
Harouna
05/10/2023 06:37 AM
Hello @Hsoumare
We are using Active Directory as a target system not a trusted system, so we cannot use USER_ATTRIBUTE.
Best Regards,
Varun
05/15/2023 06:51 AM
Hi,
Kindly assist here please.
Best Regards,
Varun
05/18/2023 05:12 AM
Hi,
Need some assistance on this thread please.
Best Regards,
Varun
06/14/2023 10:19 AM
one way of achieving this use case is to also create AD as an auth source for users. Post that we can run the User Import JOB from AD and map the DN with any of the User's CP attribute so the value is stored in the user's profile. Then you can directly use the users variable to pass the DN value in the Account JSON "${user.customproperty10}"