Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Update Rule - support for SAVCUSTOMQUERY

Pratik_Rana
New Contributor
New Contributor

‎07/21/2023 01:02 PM

We have a requirement where based on a string stored in user's custom property 5 we need to provision AD group membership. 

For example, if the custom property 5 is A|B|C, the AD groups that need to provisioned are

CN=A,DC=domain,DC=com

CN=B,DC=domain,DC=com

CN=C,DC=domain,DC=com

I am able to do the provisioning in technical rule by setting the customproperty10 on the AD group entitlements (eg. CP10=A for CN=A,DC=domain,DC=com, CP10=B for CN=B,DC=domain,DC=com so on) and using the following action in technical rule.

ObjectType: AD:memberOf

Object: SAVCUSTOMQUERY:: locate(ev.customproperty10,${user.customproperty5}) > 0

Attribute:Assign

However, when user's customproperty 5 value changes from 'A|B|C' to 'A|B', I need to remove the user from CN=C,DC=domain,DC=com. I tried to use SAVCUSTOMQUERY in the action in user update rule for CP5 isUpdated condition. However, it appears that it is not supported in User Update Rule. 

Can Saviynt resources confirm if SAVCUSTOMQUERY is supported in User Update Rule?

Anyone have thoughts about how to accomplish this in a generic way in User Update Rule without having to create a rule for each potential value that is possible in user's CP5?  

Thanks

 

Labels:
0 Kudos
1 REPLY 1

armaanzahir
Valued Contributor
Valued Contributor

‎07/22/2023 12:12 AM

Hi @Pratik_Rana ,

 

The use of binding variables and savcustomquery is not supported in the user udpate rules when you want to revoke access. They would only work in a technical rule when you need to assign it. 

 

You can always utilize an actionable analytic to fetch records where cp5 and ev's cp10 do not match and de provision access for such accounts.

armaanzahir_0-1690009862727.png

Configuring Allowed Actions (saviyntcloud.com)

 

Thanks,

Armaan

 

 

Regards,
Md Armaan Zahir
0 Kudos
Copyright © 2024 Khoros, LLC