Click HERE to see how Saviynt Intelligence is transforming the industry. |
05/31/2024 04:52 AM
Hi all,
We have a requirement for setting AD attribute accountExpires to today()+90 days while enabling a disabled account in AD.
Have you worked on it before? If so, could you share your configuration/syntax with us? Thanks
-Fran
05/31/2024 08:22 AM
Hi @frayang
Can you try the below code:
"accountExpires": "${(Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L}"
https://forums.saviynt.com/t5/identity-governance/account-expires-as-current-date-in-ad/m-p/40603
05/31/2024 08:40 AM
@frayang try below
"accountExpires": "${(Calendar.getInstance().apply { add(Calendar.DAY_OF_YEAR, 90); set(Calendar.HOUR_OF_DAY, 0); set(Calendar.MINUTE, 0); set(Calendar.SECOND, 0); set(Calendar.MILLISECOND, 0); }.getTimeInMillis() + 11644473600000L) * 10000L}"
06/07/2024 05:01 AM
Can accountExpires attribute be updated to today + 90 days via EnableAccountJSON?
We are setting it like in EnableAccountJSON attribute :
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}
But the task is not completing giving below error
Error enabling account in ADSI: { "status": "Failure", "failedObjects": [ { "id": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '/')}", "status": "Failure", "message": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '/')} does not exist.", "messageCodes": "OBJ_ERR_MSG_00002" } ], "connectionString": "LDAP://uslas0-inf008.jacobs.com:636" }
Same is working in updateAccountJson and if accountExpires is not defined in enableAccountJSON, enable account task processes successfully.
06/07/2024 05:27 AM
Share full json
06/07/2024 05:31 AM
EnableAccountJSON
{
"objects": [
{
"objectClasses": [
"user"
],
"distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\/')}",
"moveObjectToOU": "${user.customproperty21}",
"attributes": {
"userAccountControl": 512,
"extensionAttribute1": "${user.employeeType}",
"extensionAttribute6": "${user.country}",
"extensionAttribute3": "${user.location}",
"extensionAttribute13": "${user.customproperty4}",
"extensionAttribute9": "${user.customproperty2}",
"physicalDeliveryOfficeName": "${user.location}",
"description": "${user.jobDescription}",
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}"
}
}
]
}
06/07/2024 05:39 AM
{
"objects": [
{
"objectClasses": [
"user"
],
"distinguishedName": "${account.accountID?.replace('\\\\', '\\\\\\\\')?.replace('/', '/')}",
"moveObjectToOU": "${user.customproperty21}",
"attributes": {
"userAccountControl": 512,
"extensionAttribute1": "${user.employeeType}",
"extensionAttribute6": "${user.country}",
"extensionAttribute3": "${user.location}",
"extensionAttribute13": "${user.customproperty4}",
"extensionAttribute9": "${user.customproperty2}",
"physicalDeliveryOfficeName": "${user.location}",
"description": "${user.jobDescription}",
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor')? (Calendar.getInstance().getTimeInMillis() + 7776000000 + 11644473600000L)* 10000L : ''}"
}
}
]
}
06/07/2024 05:43 AM
The issue is not with distinguisedName
If I remove accountExpires from the above json and keep "distinguishedName": "${account.accountID?.replace('\\', '\\\\')?.replace('/', '\/')}" enable account task completes successfully, it only fails when accountExpires attribute is added
06/07/2024 05:53 AM
"accountExpires": "${user.employeeType.equalsIgnoreCase('employee') || user.employeeType.equalsIgnoreCase('subcontractor') ? new Date().getTime() + (90 * 24 * 60 * 60 * 1000) + 11644473600000 : '0'}"