Saviynt Forums

Roua · ‎09/10/2024

Hello everyone,

We need to ensure that once an identity is created, the username cannot be changed via UI or updates. To enforce this, I found that we could configure it in the Global Config as follows:

and i have the following in my modify user json:

"UPDATE NEWUSERDATA NU SET NU.username = CONCAT(NU.country, NU.username) WHERE NU.username NOT LIKE CONCAT(NU.country, '%')"

I tested this, but the username was still changeable and not read-only. do you have an idea how this could be achieved ?

Additionally, we have CP3 that holds the value of username:

"UPDATE NEWUSERDATA NU SET NU.customproperty3 = NU.username"

CP3 is mapped to attributes in AD : CN, Name, userPrincipalName, samAccountName, and they wants these attributes to be changeable via the UI. When CP3 changes, CN, Name, userPrincipalName, samAccountName should also update in AD:
UPDATE/ CREATE ACCOUNTJSON:

 "cn": "${user?.customproperty3}",
  "name": "${user?.customproperty3}",
"sAMAccountName": "${user?.customproperty3}",
  "userPrincipalName": "${user?.customproperty3 != null ? user?.customproperty3 + '@myuser.services' : ''}",

CHECKFORUNIQUE:

{
"cn": "${user.customproperty3}###${account}",
"samaccountname" : "${account}###${user.customproperty3}",
"userPrincipalName":"${account}@saviynt.com###${user.customproperty3}@saviynt.com"
}

so I created an Update User Rule to trigger an Account Update Task:

If Users.Account Name (Custom Property 3) is updated
Then
(Create Update Account Task [Endpoint: cda, Connection: AD test2 ])

However, after running the provisioning job, I encountered the following errors:

Error Code 21: AD is rejecting the values due to formatting or data type issues. However, there were no changes to the formatting when tested with user AT000xxxY (username changed from AT000xxxY to AT000xxxZ).

Error Code 53: AD refuses the operation for account AT000xxxY:

Modifying protected attributes (e.g., sAMAccountName, userPrincipalName, dn, cn).
Invalid DN changes when trying to move the user between OUs, possibly restricted by AD policies.

They confirmed that updating sAMAccountName and userPrincipalName is allowed and possible. I also found this link:
https://forums.saviynt.com/t5/identity-governance/activedirectoryconnector-rename-of-naming-account-...
which states that UPN, sAMAccountName, and CN should be updatable via the connector, with DN following the CN update.

Any advice on how to resolve this issue would be greatly appreciated.
Thank you!

Raghu · ‎09/10/2024

@Roua you can give as not editable field in global dynamic attribute . then it wont be change

Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

Roua · ‎09/10/2024

Hello @Raghu ,
That's what i did but it didn't work, please correct me if i am wrong:

i have only request type: user
attribute Type: String

should i also specify a logic here similar to what i have in modify user json ?

rushikeshvartak · ‎09/10/2024

Untick Required and validate

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua · ‎09/10/2024

i did so and i could update it sadly:

Raghu · ‎09/10/2024

@Roua please uncheck box editable on create

Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

Roua · ‎09/10/2024

@Raghu i did uncheck editable on create + required and didn't work i could still change the username

rushikeshvartak · ‎09/10/2024

Share logs

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua · ‎09/10/2024

@rushikeshvartak
here are the logs
Thank you

rushikeshvartak · ‎09/10/2024

Did you used firstname as dependent attribute in any other da ?

"2024-09-10T12:44:20.250+00:00,""ecm"","""",""null-qxsl4"","""",""java.lang.NullPointerException: Cannot get property 'firstname' on null object at com.saviynt.ecm.services.SaviyntCommonUtilityService.getUserDisplayName(SaviyntCommonUtilityService.groovy:7082) at gsp_ECM_usersshow_gsp$_run_closure2_closure5.doCall(gsp_ECM_usersshow_gsp.groovy:780) at

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua · ‎09/10/2024

@rushikeshvartak
what i have is "firstname": "d:Vorna~#~char"
and
"UPDATE NEWUSERDATA NU SET NU.displayname = CONCAT(UPPER(NU.lastname), ' ', NU.firstname, ' (', NU.departmentname, IF(NU.employeeType = 'E', ' (EXT)', ''), ')') WHERE NU.departmentname IS NOT NULL",

NM · ‎09/10/2024

Hi @Roua 2 points .. if they are been imported via why to use saviynt UI

2) in ideally scenario username should be calculated and shouldn't be editable so other information can be filled.

If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'

Roua · ‎09/10/2024

Hello @NM,
They requested that CP3 will be editable via UI and then this change in CP3 will be also applied to the rest of attribute in AD as i mentioned, The purpose of the user.CP3 field is to allow setting a different account name when creating new accounts. At the time of a new user creation, CP3 is always set to the same value as username. However, it is intentional that this value is not written back to the users.username field. When CP3 is changed via the UI, it should be properly propagated to the target systems...

2) username is calculated but they want it to be read only and not editable via UI. i tested it and i could change the username which i want to know how to make it read only

adarshk · ‎09/10/2024

Hi @Roua

As a workaround, you can control this at workflow as well by auto rejecting the updates on username.

Else, you can explore the options to control this by modifying respective gsp

rushikeshvartak · ‎09/10/2024

How to compare 2 user name please share condition

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua · ‎09/10/2024

i actually thought about a workaround to compare the change in sav4sav and return the old value but i am not sure.

could you please share how to do the workaround in the workflow ? Thank you!

indra_hema_95 · ‎09/10/2024

Hi @Roua ,

Just to be clear. How you are trying to modify the user? Through "Update User Request" tab or directly from identity repository --> Users ?

Regards,

Indra

Roua · ‎09/10/2024

hi @indra_hema_95 ,
You mean regarding username or CP3 ?
both are changed through " identity repository --> Users"

indra_hema_95 · ‎09/10/2024

Hi @Roua understood. So basically in the global config how you were trying check or uncheck "editable on create" that won't work on through " identity repository --> Users" basically, that is effective if you go through "user management" --> "Update User Request".

One way you can try if you don't want some users not to edit username attribute don't give them user edit access in identity repository, and give access to update user request tab through customized sav roles.

Regards,

Indra

Roua · ‎09/10/2024

Thank you so much @indra_hema_95 ,
so preventing the username from being edited is not an option in saviynt and i can only do that?
do you know if it is manageable in sav4sav or somehow to compare for example the original value vs the updated one and if it is different it will put the old one back? would that be a way?

indra_hema_95 · ‎09/10/2024

Hi @Roua I assume you are having Role_Admin sav role that is why you are able to see and edit user attributes, now you can restrict that by customizing the sav roles, for example you can create a customized sav role where you will not grand permission to edit user attributes and you add users to that sav roles so that they won't having access to edit that user attributes.

Now coming to the sav4sav could be one option or not, I assume if someone modifies any user attribute if that can be compared to the old one or not I am not quite sure, because user update history table is blobbed and I haven't seen that use case yet actually. So other expert might give you the answer.

Regards,

Indra

Roua · ‎09/10/2024

Thank you so much for your answer!
Do you have an idea regarding the other issue with CP3 ? thank you a lot!!!

rushikeshvartak · ‎09/10/2024

If you keep sav role read only field on then you can't update attributes this is applicable for all attributes
problem was you were confused in problem statement and issue mentioned in bit and pieces which is causing long thread

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua · ‎09/10/2024

ok so basically the sav role will make all attributes readonly?

i meantioned them because they are related to each other 🙂

rushikeshvartak · ‎09/10/2024

Yes it will make read only all

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

indra_hema_95 · ‎09/10/2024

Hi @Roua let me check that cp3 once. Will let you know.

Regards,

Indra

Roua · ‎09/11/2024

Thank you for your time @indra_hema_95
any updates? 🙂

rushikeshvartak · ‎09/11/2024

Once you make Sav role read only all fields becomes read only

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Saviynt Forums

Username should be readonly