Click HERE to see how Saviynt Intelligence is transforming the industry. |
07/21/2023 01:02 PM
We have a requirement where based on a string stored in user's custom property 5 we need to provision AD group membership.
For example, if the custom property 5 is A|B|C, the AD groups that need to provisioned are
CN=A,DC=domain,DC=com
CN=B,DC=domain,DC=com
CN=C,DC=domain,DC=com
I am able to do the provisioning in technical rule by setting the customproperty10 on the AD group entitlements (eg. CP10=A for CN=A,DC=domain,DC=com, CP10=B for CN=B,DC=domain,DC=com so on) and using the following action in technical rule.
ObjectType: AD:memberOf
Object: SAVCUSTOMQUERY:: locate(ev.customproperty10,${user.customproperty5}) > 0
Attribute:Assign
However, when user's customproperty 5 value changes from 'A|B|C' to 'A|B', I need to remove the user from CN=C,DC=domain,DC=com. I tried to use SAVCUSTOMQUERY in the action in user update rule for CP5 isUpdated condition. However, it appears that it is not supported in User Update Rule.
Can Saviynt resources confirm if SAVCUSTOMQUERY is supported in User Update Rule?
Anyone have thoughts about how to accomplish this in a generic way in User Update Rule without having to create a rule for each potential value that is possible in user's CP5?
Thanks
07/22/2023 12:12 AM
Hi @Pratik_Rana ,
The use of binding variables and savcustomquery is not supported in the user udpate rules when you want to revoke access. They would only work in a technical rule when you need to assign it.
You can always utilize an actionable analytic to fetch records where cp5 and ev's cp10 do not match and de provision access for such accounts.
Configuring Allowed Actions (saviyntcloud.com)
Thanks,
Armaan