We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Pushing Service Account Owner to Active Directory

varunpuri
Regular Contributor
Regular Contributor

Hello,

@avinashchhetri @sahajranajee @amit_krishnajit @rushikeshvartak 

We are using Service Now to call Saviynt APIs to create Service Accounts. The Create Account task is getting generated and is also getting completed by running the WSRETRY job. Service Account gets created in both Saviynt as well as Active Directory

But, we also have a requirement to update the owner of Service Account in Active Directory specifically in the manager field. manager field in AD only accepts complete distinguishedName of the user.

In the payload which we are using in Saviynt API call, we are passing the employeeID of the user but we cannot pass that straightaway into the manager field of Active Directory because that wont work.

We have the distinguishedName of a user's AD account stored in customproperty3 attribute of the AD account attributes in Saviynt. So, we are using the below syntax to fetch that and pass that to manager.

"manager": "${def g=com.saviynt.ecm.identitywarehouse.domain.User_accounts.findAllWhere([userkey: ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.id.toString()}[0]]).collect{com.saviynt.ecm.identitywarehouse.domain.Accounts.findWhere([id:it.accountkey])}.findAll{it.endpointkey.id==3L&&(it.status.equalsIgnoreCase('Active')||it.status.equalsIgnoreCase('1'))};if(g!=null&&!g.isEmpty()){g[0].customproperty3}}"

But, the above syntax throws the following error in logs :

"ecm-worker","2023-05-10T04:34:28.313+00:00","2023-05-10T04:34:27.465782935Z stdout F java.lang.Exception: Template contains string which are not allowed com.saviynt."

 Request your assistance here.

Best Regards,
Varun

8 REPLIES 8

Hsoumare
New Contributor III
New Contributor III

Hello 

Could you please try with this one :

manager: "${def g=com.saviynt.ecm.identitywarehouse.domain.User_accounts.findAllWhere([userkey: ServiceAccountOwnerMap.get('USEROWNERS').get('1').collect{it.id.toString()}[0]]).collect{com.saviynt.ecm.identitywarehouse.domain.Accounts.findWhere([id:it.accountkey])}.findAll{it.endpointkey.id==3L&&(it.status.equalsIgnoreCase('Active')||it.status.equalsIgnoreCase('1'))};if(g!=null&&!g.isEmpty()){g[0]['customproperty3']}"

 

Regards

Harouna

varunpuri
Regular Contributor
Regular Contributor

Hello @Hsoumare , 

The only difference in the syntax which I was using vs the one shared by you is :
My syntax : g[0].customproperty3
The one shared by you : g[0]['customproperty3']

But the error which is getting thrown is : 

"ecm-worker","2023-05-10T04:34:28.313+00:00","2023-05-10T04:34:27.465782935Z stdout F java.lang.Exception: Template contains string which are not allowed com.saviynt."

Apparently, Saviynt is not allowing the usage of com.saviynt itself. Please correct me if wrong.

Best Regards,
Varun

varunpuri
Regular Contributor
Regular Contributor

@Hsoumare - I tried with the syntax shared by you. Again got the same error.

Best Regards,
Varun

Hsoumare
New Contributor III
New Contributor III

Hi Varun, 

Yes, think its restricted from Saviynt, therefore i suggest to stor the account attribute directly on the identity customproperty using the USER_ATTRIBUTE section on the AD connector.

https://docs.saviyntcloud.com/bundle/ADSI-v55x/page/Content/Configuring-the-Integration-for-Importin...

 

Regards

Harouna

varunpuri
Regular Contributor
Regular Contributor

Hello @Hsoumare 

We are using Active Directory as a target system not a trusted system, so we cannot use USER_ATTRIBUTE.

Best Regards,
Varun

varunpuri
Regular Contributor
Regular Contributor

Hi,

Kindly assist here please.

Best Regards,
Varun

varunpuri
Regular Contributor
Regular Contributor

Hi,

Need some assistance on this thread please.

Best Regards,
Varun

SB
Saviynt Employee
Saviynt Employee

one way of achieving this use case is to also create AD as an auth source for users. Post that we can run the User Import JOB from AD and map the DN with any of the User's CP attribute so the value is stored in the user's profile. Then you can directly use the users variable to pass the DN value in the Account JSON "${user.customproperty10}" 


Regards,
Sahil