Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Service Account Name Rule

Thriller
New Contributor III
New Contributor III

How can I create a service account name rule that doesn't let the user enter in the account name that matches the user's primary AD Account. This needs to be configured for the ARS portion, so when a user submits a service account request, they shouldn't be allowed to enter in the account name that matches their primary AD Account.

Thank you for your help

Thriller_0-1718339946221.png

 

1 REPLY 1

rushikeshvartak
All-Star
All-Star

You need implement based on dynamic attribute. 

 

Service Account Name Rule

When you submit a request for creating a new service account, the account name can be entered manually or generated based on an account name generation rule defined in this field.

To be able to have the option or field values in Access Requests and define the query to generate Service Account Name Rule, you first need to define the dynamic attributes in an endpoint of Request type ServiceAccount.

The Hide on Create and Hide on Update options for these dynamic attributes must be unchecked.

Defining the dynamic attributes in endpoint enables you to populate the data as per your requirement such as Region, Location, Country, Site Codes, Department, and accountType.

After defining the dynamic attributes in an endpoint, perform the following steps to define Service Account Name Rule.

For Example, The account name needs to start with 'ADAcc16' then specify 'ADAcc16'.

Followed by Region name (Region dynamic attribute must be defined and available). Specify 3 underscore characters, followed by $Region. Additionally, Saviynt provides the ability to define number of characters for attributes. Specify 2 hash (#) characters followed by 0 and suppose you want the first 3 characters, specify 2 more hash (#) characters after 0 and add 3. Complete string for Region first 3 characters is ${Region}##0##3.

To define the first 4 characters of Country name, append 3 underscore (_) followed by $Country. To filter first 4 characters, after $Country specify 2 hash (#) characters followed by 0 and suppose you want the first 4 characters, specify 2 more hash (#) characters after 0 and add 4. Complete string for Country is ${Country}##0###4.

You can also use a substring expression to generate service account name for specific number of characters belonging to dynamic attributes. For example, let us say you want to generate service account name from two dynamic attributes, by using first 8 characters from the accountname and from the second dynamic attribute such as Environment you just want the first character to be combined and then generate service account name. You can specify a substring such as ${AccountName.substring(0,8)}-${Environment.substring(0,1)}, which fetches the first 8 characters from AccountName and first character from Environment. If the Account name is Johncarlson and Environment is QA then based on the preceding rule substring query defined, the Service Account Name generated is Johncarl-Q.

Note

The following example depicts how to generate the service account name rule followed by a hyphen, account type and an incremental index.

You want the account name to start with 'Saviynt' and hyphen then specify 'Saviynt-'.

Followed by ${accountType} (Service Account Type attribute must be defined and available, If the Service Account Type is not available, then the service account name will be generated as 'Sample-'). Specify 3 hash (#) characters followed by INCREMENTINDEX and end with 3 hash (#).

Sample Query: Saviynt-$:accountType}###INCREMENTINDEX###

Use Case: How to add conditional statement (if-else) in the service account name rule.

You can add the conditional statement (if-else) using the ternary operator, for an example the administrator wants to add a prefix for service account based on account type.

Consider the endpoint has four different service account types named Service Account, Test Account, Robot Account, and Shared Account and the administrator wants to add the prefix as svc,tst,bot,shr respectively based on account type selection along with dynamic attributes. You can achieve this using the ternary "?" operator. Here dynserviceactname is dynamic attribute that user will key in the value for service account.

Example1:

Account type : Test Account

dynserviceactname : test123

Generated Account name : tst_test123

Example2:

Account type : Service Account

dynserviceactname : check123

Generated Account name : svc_check123

Sample Query: ${accountType=='Service Account' ? 'svc'+dynserviceactname:(accountType=='Test Account' ? 'tst_'+dynserviceactname:(accountType=='Robot Account' ? 'bot_'+dynserviceactname:(accountType=='Shared Account' ? 'shr_'+dynserviceactname:'')))}_ 

 

https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter02-Identity-Repository/Viewi... 


Regards,
Rushikesh Vartak
If you find this response useful, kindly consider selecting 'Accept As Solution' and clicking on the 'Kudos' button.