Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Username should be readonly

Roua
Regular Contributor
Regular Contributor

Hello everyone,

We need to ensure that once an identity is created, the username cannot be changed via UI or updates. To enforce this, I found that we could configure it in the Global Config as follows:

Roua_1-1725968371225.png

and i have the following in my modify user json:

"UPDATE NEWUSERDATA NU SET NU.username = CONCAT(NU.country, NU.username) WHERE NU.username NOT LIKE CONCAT(NU.country, '%')"

I tested this, but the username was still changeable and not read-only. do you have an idea how this could be achieved ? 

Additionally, we have CP3 that holds the value of username:

"UPDATE NEWUSERDATA NU SET NU.customproperty3 = NU.username"

CP3 is mapped to attributes in AD : CN, Name, userPrincipalName, samAccountName, and they wants these attributes to be changeable via the UI. When CP3 changes, CN, Name, userPrincipalName, samAccountName should also update in AD:
UPDATE/ CREATE ACCOUNTJSON:

 "cn": "${user?.customproperty3}",
  "name": "${user?.customproperty3}",
"sAMAccountName": "${user?.customproperty3}",
  "userPrincipalName": "${user?.customproperty3 != null ? user?.customproperty3 + '@myuser.services' : ''}",

CHECKFORUNIQUE:

{
"cn": "${user.customproperty3}###${account}",
"samaccountname" : "${account}###${user.customproperty3}",
"userPrincipalName":"${account}@saviynt.com###${user.customproperty3}@saviynt.com"
}

so I created an Update User Rule to trigger an Account Update Task:

If Users.Account Name (Custom Property 3) is updated
Then
(Create Update Account Task [Endpoint: cda, Connection: AD test2 ])

However, after running the provisioning job, I encountered the following errors:

Error Code 21: AD is rejecting the values due to formatting or data type issues. However, there were no changes to the formatting when tested with user AT000xxxY (username changed from AT000xxxY to AT000xxxZ).

Error Code 53: AD refuses the operation for account AT000xxxY:

Modifying protected attributes (e.g., sAMAccountName, userPrincipalName, dn, cn).
Invalid DN changes when trying to move the user between OUs, possibly restricted by AD policies.

They confirmed that updating sAMAccountName and userPrincipalName is allowed and possible. I also found this link:
https://forums.saviynt.com/t5/identity-governance/activedirectoryconnector-rename-of-naming-account-...
which states that UPN, sAMAccountName, and CN should be updatable via the connector, with DN following the CN update.

Any advice on how to resolve this issue would be greatly appreciated.
Thank you!

27 REPLIES 27

Raghu
All-Star
All-Star

@Roua  you can give as not editable field in global dynamic attribute . then it wont be change


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

Roua
Regular Contributor
Regular Contributor

Hello @Raghu ,
That's what i did but it didn't work, please correct me if i am wrong: 

Roua_0-1725969773958.png

i have only request type: user
attribute Type: String

Roua_1-1725969829812.png


should i also specify a logic here similar to what i have in modify user json ? 

Roua_2-1725969869035.png

 

  • Untick Required and validate

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

i did so and i could update it sadly: 

Roua_0-1725972207779.png

 

@Roua  please uncheck box editable on create


Thanks,
Raghu
If this reply answered your question, Please Accept As Solution and hit Kudos.

Roua
Regular Contributor
Regular Contributor

@Raghu  i did uncheck editable on create + required and didn't work i could still change the username 

Share logs


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak 
here are the logs 
Thank you 

Did you used firstname as dependent attribute in any other da ?

"2024-09-10T12:44:20.250+00:00,""ecm"","""",""null-qxsl4"","""",""java.lang.NullPointerException: Cannot get property 'firstname' on null object at com.saviynt.ecm.services.SaviyntCommonUtilityService.getUserDisplayName(SaviyntCommonUtilityService.groovy:7082) at gsp_ECM_usersshow_gsp$_run_closure2_closure5.doCall(gsp_ECM_usersshow_gsp.groovy:780) at


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

@rushikeshvartak 
what i have is "firstname": "d:Vorna~#~char"
and 
"UPDATE NEWUSERDATA NU SET NU.displayname = CONCAT(UPPER(NU.lastname), ' ', NU.firstname, ' (', NU.departmentname, IF(NU.employeeType = 'E', ' (EXT)', ''), ')') WHERE NU.departmentname IS NOT NULL",

NM
Honored Contributor II
Honored Contributor II

Hi @Roua 2 points .. if they are been imported via why to use saviynt UI 

2) in ideally scenario username should be calculated and shouldn't be editable so other information can be filled.

 

Roua
Regular Contributor
Regular Contributor

Hello @NM,
They requested that CP3 will be editable via UI and then this change in CP3 will be also applied to the rest of attribute in AD as i mentioned, The purpose of the user.CP3 field is to allow setting a different account name when creating new accounts. At the time of a new user creation, CP3 is always set to the same value as username. However, it is intentional that this value is not written back to the users.username field. When CP3 is changed via the UI, it should be properly propagated to the target systems...

2) username is calculated but they want it to be read only and not editable via UI. i tested it and i could change the username which i want to know how to make it read only

adarshk
Saviynt Employee
Saviynt Employee

Hi @Roua 

As a workaround, you can control this at workflow as well by auto rejecting the updates on username. 

Else, you can explore the options to control this by modifying respective gsp

How to compare 2 user name please share condition


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

i actually thought about a workaround to compare the change in sav4sav and return the old value but i am not sure.

could you please share how to do the workaround in the workflow ? Thank you!

indra_hema_95
Regular Contributor III
Regular Contributor III

Hi @Roua ,

Just to be clear. How you are trying to modify the user? Through "Update User Request" tab or directly from identity repository --> Users

Regards,

Indra

Roua
Regular Contributor
Regular Contributor

hi  @indra_hema_95 ,
You mean regarding username or CP3 ? 
both are changed through " identity repository --> Users"

indra_hema_95
Regular Contributor III
Regular Contributor III

Hi @Roua understood. So basically in the global config how you were trying check or uncheck "editable on create" that won't work on through " identity repository --> Users" basically, that is effective if you go through "user management" --> "Update User Request".

One way you can try if you don't want some users not to edit username attribute don't give them user edit access in identity repository, and give access to update user request tab through customized sav roles.

Regards,

Indra

Roua
Regular Contributor
Regular Contributor

Thank you so much @indra_hema_95 ,
so preventing the username from being edited is not an option in saviynt and i can only do that?
do you know if it is manageable in sav4sav or somehow to compare for example the original value vs the updated one and if it is different it will put the old one back? would that be a way? 

indra_hema_95
Regular Contributor III
Regular Contributor III

Hi @Roua I assume you are having Role_Admin sav role that is why you are able to see and edit user attributes, now you can restrict that by customizing the sav roles, for example you can create a customized sav role where you will not grand permission to edit user attributes and you add users to that sav roles so that they won't having access to edit that user attributes.

Now coming to the sav4sav could be one option or not, I assume if someone modifies any user attribute if that can be compared to the old one or not I am not quite sure, because user update history table is blobbed and I haven't seen that use case yet actually. So other expert might give you the answer.

Regards,

Indra

Roua
Regular Contributor
Regular Contributor

Thank you so much for your answer!
Do you have an idea regarding the other issue with CP3 ? thank you a lot!!!

  • If you keep sav role read only field on then you can't update attributes this is applicable for all attributes
  • problem was you were confused in problem statement and issue mentioned in bit and pieces which is causing long thread

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

Roua
Regular Contributor
Regular Contributor

ok so basically the sav role will make all attributes readonly?

i meantioned them because they are related to each other 🙂

Yes it will make read only all


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

indra_hema_95
Regular Contributor III
Regular Contributor III

Hi @Roua let me check that cp3 once. Will let you know.

Regards,

Indra

 

 

Roua
Regular Contributor
Regular Contributor

Thank you for your time @indra_hema_95 
any updates? 🙂 

Once you make Sav role read only all fields becomes read only


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.