Identity & Access Management

Saviynt – Integrations & Enhancements

Document Owner: IAM – BAIN & Co Team

Document Version: 1.0

The content of this document is intended for IBM internal use only. None of this information shall
be divulged to persons other than IBM employees, or individuals or organizations authorized by
IBM in accordance with existing policy regarding release of company information.

________________________________________________________________________
Table of Contents
Document Control.....................................................................................................................................2

Purpose of this Document.......................................................................................................................2

Who Should Use the Document?...........................................................................................................2

Saviynt and Avature Integration Runbook.............................................................................................3

1.Avature Connection:.........................................................................................................3

1.1 Schedule Job............................................................................................................................7

2.Create Enterprise Roles:..................................................................................................8

2.1 Activate AD entitlements.....................................................................................................11

3. Create and Update Policies:.........................................................................................11

3.1 Technical Rules.....................................................................................................................11

3.2 User Update Rule...................................................................................................................14

4.Email Templates...............................................................................................................16

5.Update Dataset.................................................................................................................16

6. Full Import.........................................................................................................................17

7. Connection Updates.......................................................................................................17

7.1 Active Directory Connection Updates..............................................................................17

7.2 Win-PS Connection Updates..............................................................................................23

7.3 Exchange scripts Modification...........................................................................................24

7.4 Update Account Correlation rule.......................................................................................24

8. Miscellaneous..................................................................................................................24

8.1 Scheduling Jobs....................................................................................................................24

8.2 Analytics for Delete accounts............................................................................................24

_____________________________________________________________________

1
Document Control
Summary of Changes
DOCUMENT HISTORY

Revision Revision Review and Nature of

Editors
Date Number Approved By Change

Original
IAM Team 1.0
Document

Purpose of this Document

This runbook is created to integrate the Bain & co production saviynt environment with their
Avature production environment. The purpose of this integration is to manage user life cycle
operations for BAN (Bain Advisor Network) users through saviynt.

Who Should Use the Document?

This document should be used by:

 IBM Identity & Access Management Specialist Saviynt – BAIN.

_____________________________________________________________________

2
 Saviynt and Avature Integration Runbook.

Following are the steps to be followed for successful Integration.

1.Avature Connection:

Create Rest API connection using the rest connector in saviynt, this connection is used to
connect with Avature API and import users for the incremental feed.

Connection Details:

Para Value
mete
r

Conn BAN_Users_incremental_feed
ection
Name

Descr To process BAN users incremental feed

iption

Conn Rest
ection
Type

Statu Enable
s

Conn {
ection
"authentications": {
Json
"acctAuth": {
"authType": "Basic",
"url": "https://entitylistfeedsaviyntexport-bainnetworks.integrations.avature.net/
jobFeedRequest",
"httpMethod": "GET",
"httpHeaders": {},
"httpContentType": "application/json",

_____________________________________________________________________

3
 "properties": {
"userName":"bainnetworks",
"password":"**********"
},
"expiryError": "ExpiredAuthenticationToken",
"authError": [
"InvalidAuthenticationToken",
"Authentication Error"
],
"timeOutError": "Read timed out",
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "",
"tokenType": "Basic",
"accessToken": "Basic ****************",
"apiRateLimitConfig": {"retryAfterCalls": 100,"retryWaitSeconds": 60}
}
}
}

Note: Access token is username:password of API, encoded with Base64 padding

Impor {
t User
"connection": "acctAuth",
Json
"url": "https://entitylistfeedsaviyntexport-bainnetworks.integrations.avature.net/
jobFeedRequest",
"httpMethod": "GET",
"httpHeaders": {
"contentType": "application/json",

_____________________________________________________________________

4
 "Authorization": "Basic *****************"},
"colsToPropsMap": {
"USERNAME": "id~#~char",
"SYSTEMUSERNAME": "id~#~char",
"JOBCODEDESC": "Person Type~#~char",
"DISPLAYNAME": "Full name~#~char",
"STARTDATE": "Contract Start Date~#~date",
"ENDDATE": "Contract End Date~#~date",
"MANAGER": "Manager Employee ID~#~char",
"EMPLOYEECLASS": "Tier~#~char",
"LOCATIONDESC": "Office~#~char",
"FIRSTNAME": "First Name~#~char",
"LASTNAME": "LastName~#~char",
"CUSTOMPROPERTY5":"Primary Email Address",
"CUSTOMPROPERTY17":"Regional BAN Coordinator Email Address"},
"errorCode":"401",
"errorCodePath":"errorCode",
"userResponsePath": ""

Note: Authorization parameter should be supplied with access token encoded with
basic 64 padding of username:password

Modif {
y
"ADDITIONALTABLES": {
User
Json "USERS": "SELECT USERKEY,
username,SYSTEMUSERNAME,EMPLOYEETYPE,orgunitid,Customer,statuskey,loc
ation,CUSTOMPROPERTY13,CUSTOMPROPERTY49,startdate,enddate FROM
USERS",

_____________________________________________________________________

5
"TATTR": "SELECT attribute1,datasetname,attribute3,attribute2,attribute4 FROM
DATASET_VALUES",
"CUSTOMER": "SELECT customerkey,customername FROM CUSTOMER"
},
"COMPUTEDCOLUMNS": [
"CUSTOMPROPERTY49",
"statuskey",
"EMPLOYEEID",
"SYSTEMUSERNAME",
"CUSTOMPROPERTY13",
"CUSTOMPROPERTY49",
"username",
"customer",
"location",
"EMPLOYEETYPE",
"CUSTOMPROPERTY16"
],
"PREPROCESSQUERIES": [
"UPDATE NEWUSERDATA SET EMPLOYEEID =CONCAT('BAN-',username)",
"UPDATE NEWUSERDATA SET username =CONCAT('BAN-',username)",
"UPDATE NEWUSERDATA SET SYSTEMUSERNAME
=CONCAT('BAN-',SYSTEMUSERNAME)",
"UPDATE NEWUSERDATA SET EMPLOYEETYPE='Contingent Worker'",
"UPDATE NEWUSERDATA SET customer = (select currentcustomer.customername
from currentcustomer where currentcustomer.customername = 'Bain Advisory
Network')",
"UPDATE NEWUSERDATA SET statuskey= CASE when
((ADDDATE(date(enddate), INTERVAL 5 DAY) < curdate() and
(NEWUSERDATA.JOBCODEDESC like '%BAN Previously Contracted%')) OR
(NEWUSERDATA.JOBCODEDESC like '%Inactive BAN Advisor%')) then '0' when
(date(enddate) >= curdate() OR (NEWUSERDATA.JOBCODEDESC like 'BAN
_____________________________________________________________________

6
 Advisor')) then '1' END",
"UPDATE NEWUSERDATA SET location = (select attribute1 from CURRENTTATTR
where datasetname = 'Active_Directory_OUs' and attribute2 =
NEWUSERDATA.LOCATIONDESC)",
"UPDATE NEWUSERDATA SET CUSTOMPROPERTY49=(select attribute3 from
CURRENTTATTR where datasetname = 'Active_Directory_OUs' and attribute2 =
NEWUSERDATA.LOCATIONDESC)",
"UPDATE NEWUSERDATA SET CUSTOMPROPERTY13 = CASE when
(date(enddate) is not NULL) then ADDDATE(date(enddate),INTERVAL 5 DAY) when
(date(enddate) is NULL) then '' END",
"UPDATE NEWUSERDATA SET CUSTOMPROPERTY16=(select attribute4 from
CURRENTTATTR where datasetname = 'Active_Directory_OUs' and attribute2 =
NEWUSERDATA.LOCATIONDESC)"
]
}

1.1 Schedule Job

Create a job using saviynt job control panel for automating the BAN users regular incremental
feed.
Create job with below fields updated or selected.

Parameter Value

Job Name BAN_Incremental_feed

Job Type User Import Via Connection

External Connection BAN_Users_Incremental_feed

Allow User operation Create and Update

Job Type Full Import

Zero day provisioning Yes

Check Rules Yes

Schedule TBD

_____________________________________________________________________

7
2.Create Enterprise Roles:

To provision birth right access for different level of BAN users, following Enterprise roles need to
be created. Later the corresponding AD entitlements should be added to these roles.
Note: Before creating below roles set below values in Global configurations
Saviynt-> Global Configurations -> Roles->enable check box on Roles Modification Auto
Approve
Roles Add workflow ->select AutoApprovalWF

Paramet Value
er

Role BAN_Tier1_BirthRightAccess
Name

Desriptio Birth right access of for tier1 users (do not delete)
n

Status Active

Role Enterprise
Type

Endpoint Active Directory

Entitleme CN=BAN Users Tier 1,OU=Global Distribution

nts Lists,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Azure Conditional Access Test
Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Azure License - BackFill,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=c
CN=Global Citrix BAN - Default Restrictions,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Azure
MFA,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix SOA No Printing,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Global Citrix BAN - No File Redirection,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Iris-GeneralAccess
(Exclusions),OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Conditional
Access,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Mobile Bain Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=
CN=Global NonEmployees
Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix Access Gateway Users,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=No BVU Access,OU=LimitedAccess,OU=Global,DC=BAIN,DC=com
_____________________________________________________________________

8
 CN=Global Citrix VDI - Bain Users,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Bain Zoom Exceptions,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=co

Paramete Value
r

Role BAN_Tier2_BirthRightAccess
Name

Display BAN_Tier2_BirthRightAccess
Name

Descriptio Birth right access of for tier 2 users (do not delete)
n

Role Type Enterprise

Status Active

Endpoint Active Directory

Entitleme CN=Azure Conditional Access Test

nts Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Azure License -
BackFill,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix BAN - Default Restrictions,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Azure
MFA,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=BAN Users Tier 2,OU=Global Distribution
Lists,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix SOA No Printing,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Global Citrix BAN - No File Redirection,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Iris-GeneralAccess
(Exclusions),OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Conditional
Access,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Mobile Bain
Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global NonEmployees
Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix Access Gateway Users,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=No BVU Access,OU=LimitedAccess,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Bain Users,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Bain Zoom
_____________________________________________________________________

9
 Exceptions,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com

Paramete Value
r

Role BAN_Tier3_BirthRightAccess
Name

Descriptio Birth right access of for tier 3 users (do not delete)
n

Display BAN_Tier3_BirthRightAccess
Name

Status Active

Role Type Enterprise

Endpoint Active Driectory

Entitleme CN=BAN Users Tier 3,OU=Global Distribution

nts Lists,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Azure Conditional Access Test
Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Azure License -
BackFill,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix BAN - Default Restrictions,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Azure
MFA,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=No Personal Cloud Services,OU=LimitedAccess,OU=Global,DC=BAIN,DC=com
CN=Global Citrix SOA No Printing,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Global Citrix BAN - No File Redirection,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=No Outbound Mail,OU=LimitedAccess,OU=Global,DC=BAIN,DC=com
CN=Iris-GeneralAccess
(Exclusions),OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Conditional
Access,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=No Print Access,OU=LimitedAccess,OU=Global,DC=BAIN,DC=com
CN=Global Mobile Bain
Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global NonEmployees
Users,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=Global Citrix Access Gateway Users,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Global Citrix VDI - Bain Users,OU=Citrix,OU=Global,DC=BAIN,DC=com
CN=Bain Zoom
_____________________________________________________________________

10
 Exceptions,OU=Groups,OU=Azure,OU=Resources,OU=Global,DC=BAIN,DC=com
CN=No BVU Access,OU=LimitedAccess,OU=Global,DC=BAIN,DC=com

2.1 Activate AD entitlements

The AD entitlements which are added to the above Enterprise roles should be activated so that
these can be added as part of birth right. By default, these entitlements are in Inactive state.
Identity Repository->Entitlements->Search for ent. ->select Active
Note: If any of the entitlement is not present in saviynt then run the ImportADGroups job in prod.

3. Create and Update Policies:

To enable birth right access and user update operations, Technical rules and User update rules
should be created with required conditional filters.

3.1 Technical Rules

Below technical rules need to be created or modified to accommodate BAN users.

New Rules to be added

Parameter Value

Rule Name BAN_Tier1_NewHires

Advance Config a.username like 'BAN-%' and

a.employeeclass IN ('Tier 1','Tier
A1','Tier B1') and a.statuskey=1

Action: Object Type-> BAN_Tier1_BirthRightAccess Attribute: Assign

Enterprise roles

Exchange Accounts Assign

Zoom Accounts Assign

_____________________________________________________________________

11
 Birth Right True

Detective False

Parameter Value

Rule Name BAN_Tier2_NewHires

Advance Config a.username like 'BAN-%' and

a.employeeclass IN ('Tier 2','Tier
A2','Tier B2') and a.statuskey=1

Action: Object Type-> BAN_Tier2_BirthRightAccess Attribute: Assign

Enterprise roles

Exchange Accounts Assign

Zoom Accounts Assign

Birth Right True

Detective False

Parameter Value

Rule Name BAN_Tier3_NewHires

Advance Config a.username like 'BAN-%' and

a.employeeclass IN ('Tier 3','Tier
A3','Tier B3') and a.statuskey=1

Action: Object Type-> BAN_Tier3_BirthRightAccess Attribute: Assign

Enterprise roles

Exchange Accounts Assign

Birth Right True

Detective False

Existing Rules to be modified

_____________________________________________________________________

12
Parameter Value

RuleName Employee New Hire Global

Condition(old) a.statuskey = 1 and a.startdate <=

adddate(curdate(), 21) and a.employeeid is
not null and a.leaveStatus is null

Condition(new) a.statuskey = 1 and a.startdate <=

adddate(curdate(), 21) and a.employeeid is
not null and a.leaveStatus is null and
a.employeeclass not like 'Tier%'

Parameter Value

Rule Name Employee New Hire Global - Groups

Condition (old) a.statuskey = 1 and a.startdate <=

adddate(curdate(), 21) and a.employeeid is
not null and a.leaveStatus is null and
a.location not in (335,336)

Condition (new) a.statuskey = 1 and a.startdate <=

adddate(curdate(), 21) and a.employeeid is
not null and a.leaveStatus is null and
a.location not in (335,336) and
a.employeeclass not like 'Tier%'

Parameter Value

Rule Name Employee New Hire - APAC - Beijing and

Shanghai - Groups

Condition (old) a.statuskey = 1 and a.startdate <=

adddate(curdate(), 21) and a.employeeid is
not null and a.leaveStatus is null and
a.location in (335,336)

Condition (new) a.statuskey = 1 and a.startdate <=

adddate(curdate(), 21) and a.employeeid is
_____________________________________________________________________

13
 not null and a.leaveStatus is null and
a.location in (335,336) and a.employeeclass
not like 'Tier%'

3.2 User Update Rule

Create following New User update rules in saviynt

Saviynt-> Policies->User Update Rules

Parameter Value

Rule Name BAN_User_Termination_Feed

Description Rule for triggering termination for BAN users

Trigger Action When Trigger when user is updated from Import

Advanced query a.username like 'BAN-%' and (##a.statuskey

isupdated##) and a.statuskey=0 and
( a.jobcodedesc like '%Inactive BAN Advisor
%' ) OR (a.jobcodedesc like '%BAN
Previously Contracted%' and
date(a.customproperty13) < curdate())

Action Disable All accounts -> All

Parameter Value

Rule Name BAN_Rehire_Users

Description Rule for triggering Rehire for BAN users

Trigger Action When Trigger when user is updated from Import

Advanced query a.username like 'BAN-%' and (##a.statuskey isupdated##) and

a.statuskey=1 and a.jobcodedesc not like '%Inactive BAN Advisor
%'

Action 1. Enable user accounts -> All

2. Re run selected Technical Rules-> BAN_tier1_NewHires,
BAN_tier2_NewHires,
BAN_tier3_NewHires,
3. Revoke selected Acess ->Active Directory -> CN=No
_____________________________________________________________________

14
 Everything
Access,OU=LimitedAccess,OU=Global,DC=BAIN,DC=com

Parameter Value

Rule Name BAN_Update_ADAccount

Description Rule for updating the Manager id and

Contract end date values in AD

Trigger Action When Trigger when user is updated from import

Advance query a.username like 'BAN-%' and ((##a.enddate

isupdated##) or (##a.manager isupdated##))
and a.statuskey=1

Action Create UpdateAccount task->Active Directory

Update following Rules to isolate BAN users.

Parameter Value

Rule Name Workday_Email_writeback

Condition Add another condition to the existing as

below
User->empoyeeclass ->Does Not contain -
>Tier

4.Email Templates

Export the following email templates from UAT to Prod saviynt

Saviynt -> Transport ->Export Package ->Select object as Email template
Onboarding Template Name: Onboarding notification of BAN user to TSG
Off Boarding Template Name: TSG notification for BAN User off-boarding

_____________________________________________________________________

15
After successful import of these templates to production, they need to be added to active
directory endpoint
Saviynt-> Identity repository -> Security system -> Enpoints -> Active Directory
Open the Active Directory Endpoint and add Email templates

Task Type Email Actions Template Name

New account Task Complete Onboarding notification of

BAN user to TSG

Disable Account Task Complete TSG notification for BAN

User off-boarding

After modifying endpoint run the endpoint sync job from job control panel

5.Update Dataset

For BAN users there is a need to add extra column to insert the tsg email address. Hence the
existing data set (Active_Directory_OUs) need to be modified.
..\Downloads\BAN Integration\Dataset-TSG.csv

6. Full Import

As part of initial go live, it was agreed to import the active BAN users using a csv file with
required fields provided by BAN team.
..\Downloads\BAN Integration\BAN_fullImportfeed_v1.0.csv
Since some of the BAN users do not have same username in Avature and AD, we have decided
to adopt such accounts by storing their AD samAccountName in of the custom property attribute
in saviynt user profile. Customproperty28 can be used for storing samAccountName

7. Connection Updates

7.1 Active Directory Connection Updates

To isolate BAN user’s Requirements, we need to update the following JSONs in Active Directory
connection.

_____________________________________________________________________

16
Param Old Value New Value
eter

Create { "samaccountname": "$ { "samaccountname": "${user?.username}",

Accoun {user?.username}",
"displayName": "${user?.lastname}, ${null !=
t Json
"displayName": "${user?.lastname}, user?.preferedFirstName ?
${null != user?.preferedFirstName ? user?.preferedFirstName : user?.firstname}$
user?.preferedFirstName : {null != user?.customer &&
user?.firstname}${null != user?.customer?.id==4 ? ' (BAN)': ''}",
user?.customer &&
"givenName": "${null !=
user?.customer?.id==4 ? ' (BAN)':
user?.preferedFirstName ?
''}",
user?.preferedFirstName : user?.firstname}",
"givenName": "${null !=
"sn": "${user?.lastname}",
user?.preferedFirstName ?
user?.preferedFirstName : "objectclass": [ "top",
user?.firstname}",
"person",
"sn": "${user?.lastname}",
"organizationalPerson",
"objectclass": [ "top",
"user" ],
"person",
"name": "${user?.lastname}, ${null !=
"organizationalPerson", user?.preferedFirstName ?
user?.preferedFirstName : user?.firstname}
"user" ],
(${user?.username})",
"name": "${user?.lastname}, $
"company": "${null != user?.customer &&
{null != user?.preferedFirstName ?
user?.customer.id==4 ? '': 'Bain & Company,
user?.preferedFirstName :
Inc.'}",
user?.firstname} ($
{user?.username})", "employeeid": "${user?.username}",
"company": "Bain & Company, "adminDescription": "E3EMS;E3OFFICE;",
Inc.",
"UNICODEPWD": "${randomPassword}",
"employeeid": "$
{user?.username}", "pwdLastSet": "0",

"adminDescription": "msNPAllowDialin": "${null !=

"E3EMS;E3OFFICE;", user?.customer && user.customer.id==4 ?
'FALSE':'TRUE'}",
"UNICODEPWD": "$
{randomPassword}", "extensionattribute6": "${null !=
user?.customer && user.customer.id==4 ?
user?.employeeclass:''}",
_____________________________________________________________________

17
 "pwdLastSet": "0", "department": "${null != user?.customer &&
user.customer.id==4 ? 'Bain Advisory
"msNPAllowDialin": "${null !=
Network': user?.departmentname}",
user?.customer &&
user.customer.id==4 ? "title": "${null != user?.customer &&
'FALSE':'TRUE'}", user?.customer?.id==4 ? 'Bain Advisory
Network': user?.title}",
"department": "${null !=
user?.customer && "description": "${null != user?.customer &&
user.customer.id==4 ? 'Bain user?.customer?.id==4 ? 'Bain Advisory
Advisory Network': Network': user?.comments}",
user?.departmentname}",
"userAccountControl": "544",
"title": "${null != user?.customer &&
"manager": "${null != managerAccount &&
user?.customer?.id==4 ? 'Bain
null != managerAccount.accountID ?
Advisory Network': user?.title}",
managerAccount.accountID : ''}" ,
"description": "${null !=
"accountExpires":"${if ((null !=
user?.customer &&
user?.customer && user.customer.id==4) &&
user?.customer?.id==4 ? 'Bain
(user?.enddate != null || user?.enddate != ''))
Advisory Network':
{10000*(user.enddate.getTime() +
user?.comments}",
11644473600000 +100799999)}else {0}}",
"userAccountControl": "544",
"l": "${user?.city}",
"manager": "${null !=
"streetAddress": "${user?.street}",
managerAccount && null !=
managerAccount.accountID ? "st":"${user?.state}",
managerAccount.accountID : ''}" ,
"co":"${user?.country}",
"l": "${user?.city}",
"c":"${user?.customproperty18}",
"streetAddress": "${user?.street}",
"postalCode":"${user?.regioncode}"
"st":"${user?.state}",
}
"co":"${user?.country}",
"c":"${user?.customproperty18}",
"postalCode":"$
{user?.regioncode}"
}

Update { {
Accoun
"displayName": "$ "displayName": "${user?.lastname}, $
t json
{user?.lastname}, ${null != {null != user?.preferedFirstName ?
user?.preferedFirstName ? user?.preferedFirstName : user?.firstname}$
_____________________________________________________________________

18
 user?.preferedFirstName : {null != user?.customer &&
user?.firstname}${null != user?.customer?.id==4 ? ' (BAN)': ''}",
user?.customer &&
"givenName": "${null !=
user?.customer?.id==2 ? ' (RTN)':
user?.preferedFirstName ?
''}",
user?.preferedFirstName : user?.firstname}",
"givenName": "${null !=
"sn": "${user?.lastname}",
user?.preferedFirstName ?
user?.preferedFirstName : "department": "${null !=
user?.firstname}", user?.customer && user.customer.id==4 ?
'Bain Advisory Network':
"sn": "${user?.lastname}",
user?.departmentname}",
"department": "${null !=
"title": "${null != user?.customer &&
user?.customer &&
user?.customer?.id==4 ? 'Bain Advisory
user.customer.id==2 ? 'Results
Network': user?.title}",
Talent Network':
user?.departmentname}", "description": "Saviynt Test – ${null !
= user?.customer &&
"title": "${null !=
user?.customer?.id==4 ? 'Bain Advisory
user?.customer &&
Network': user?.comments}",
user?.customer?.id==2 ? 'Results
Talent Network': user?.title}", "manager": "${null != managerAccount &&
null != managerAccount.accountID ?
"description": "Saviynt Test
managerAccount.accountID : ''}",
– ${null != user?.customer &&
user?.customer?.id==2 ? 'Results "accountExpires":"${if ((null !=
Talent Network': user?.comments}", user?.customer && user.customer.id==4) &&
(user?.enddate != null || user?.enddate != ''))
"manager": "${null !=
{10000*(user.enddate.getTime() +
managerAccount && null !=
11644473600000 +100799999)}else {0}}" }
managerAccount.accountID ?
managerAccount.accountID : ''}"
}

Update { {
User
"displayName": "$ "displayName": "${user?.lastname}, $
Json
{user?.lastname}, ${null != {null != user?.preferedFirstName ?
user?.preferedFirstName ? user?.preferedFirstName : user?.firstname}$
user?.preferedFirstName : {null != user?.customer &&
user?.firstname}${null != user?.customer?.id==4 ? ' (BAN)': ''}",
user?.customer &&
"givenName": "${null !=
user?.customer?.id==2 ? ' (RTN)':
user?.preferedFirstName ?
''}",
user?.preferedFirstName : user?.firstname}",
"givenName": "${null !=
_____________________________________________________________________

19
 user?.preferedFirstName ? "sn": "${user?.lastname}",
user?.preferedFirstName :
"department": "${null !=
user?.firstname}",
user?.customer && user.customer.id==4 ?
"sn": "${user?.lastname}", 'Bain Advisory Network': ''}",
"department": "${null != "title": "${null != user?.customer &&
user?.customer && user?.customer?.id==4 ? 'Bain Advisory
user.customer.id==2 ? 'Results Network': ''}",
Talent Network': ''}",
"description": "Saviynt Test – ${null !
"title": "${null != = user?.customer &&
user?.customer && user?.customer?.id==4 ? 'Bain Advisory
user?.customer?.id==2 ? 'Results Network': ''}"
Talent Network': ''}",
}
"description": "Saviynt Test
– ${null != user?.customer &&
user?.customer?.id==2 ? 'Results
Talent Network': ''}"
}

Enable { {
Accoun
"DISABLEACCOUNTCHEC "DISABLEACCOUNTCHECKRULE": [
t Json
KRULE": [
"CN=${user.lastname}\\, ${null
"CN=$ != user?.preferedFirstName ?
{user.lastname}\\, ${null != user?.preferedFirstName : user?.firstname} $
user?.preferedFirstName ? {null != user?.customer &&
user?.preferedFirstName : user?.customer?.id==4 ? '' :
user?.firstname} [$ [user?.username]},${null != user?.customer
{user.username}],${null != && user?.customer?.id==4 ?
user?.customer && 'OU=Contractors,OU=NonEmployees,': ''}
user?.customer?.id==2 ? OU=Alumni,OU=Global,DC=BAIN,DC=com "
'OU=Contractors,OU=NonEmploye
],
es,':
''}OU=Quahog,OU=Americas,DC= "ENABLEACCOUNTOU": "${null !=
BAIN,DC=com" user?.customer && user?.customer?.id==4 ?
'OU=Contractors,OU=NonEmployees,': ''}$
],
{user?.customproperty49}",
"ENABLEACCOUNTOU": "$
"ATTRIBUTESTOCHECK": {
{null != user?.customer &&
user?.customer?.id==2 ? "userAccountControl": "514",
'OU=Contractors,OU=NonEmploye
es,': ''}${user?.customproperty49}",
_____________________________________________________________________

20
 "ATTRIBUTESTOCHECK": "sn": "${user.lastname}",
{
"cn": "${null !=
"userAccountControl user?.preferedFirstName ?
": "514", user?.preferedFirstName : user?.firstname}"
"sn": "$
{user.lastname}",
},
"cn": "${null !=
user?.preferedFirstName ? "REMOVEGROUPS": "NO",
user?.preferedFirstName : "USEDNFROMACCOUNT": "YES",
user?.firstname}"
"MOVEDN": "YES",
},
"AFTERMOVEACTIONS": {
"REMOVEGROUPS": "NO",
"msNPAllowDialin": "${null !=
"USEDNFROMACCOUNT": user?.customer && user.customer.id==4 ?
"YES", 'FALSE':'TRUE'}",
"MOVEDN": "YES", "userAccountControl": "544" ,
"AFTERMOVEACTIONS": { "accountExpires":"${if (null !=
"msNPAllowDialin": user?.customer && user.customer.id==4)
"TRUE", {10000*(user.enddate.getTime() +
11644473600000 +100799999)}else {0}}",
"userAccountControl
": "544" "extensionattribute6": "${null !=
user?.customer && user.customer.id==4 ?
} user?.employeeclass:''}",
} "manager": "${null != managerAccount
&& null != managerAccount.accountID ?
managerAccount.accountID : ''}"
}
}

Accoun CN=${user.lastname}\\, ${null != CN=${user.lastname}\\, ${null !=

t Name user?.preferedFirstName ? user?.preferedFirstName ?
rule user?.preferedFirstName : user?.preferedFirstName : user?.firstname} $
user?.firstname} [$ {null != user?.customer &&
{user.username}],${null != user?.customer?.id==4 ? '' :
user?.customer && [user?.username]},${null != user?.customer
user?.customer?.id==4 ? && user?.customer?.id==4 ?

_____________________________________________________________________

21
 'OU=Contractors,OU=NonEmploye 'OU=Contractors,OU=NonEmployees,' : ''}$
es,' : ''}${user?.customproperty49} {user?.customproperty49}

Disable { {
account
"userAccountControl": "userAccountControl": "514",
json
"514",
"deleteAllGroups": "No",
"deleteAllGroups": "No",
"adminDescription": "",
"streetAddress": "",
"streetAddress": "",
"l": "",
"l": "",
"postalCode": "",
"postalCode": "", "co": "",
"co": "", "c": "",
"c": "", "company": "",
"company": "st": "",
"",
"moveUsertoOU": "${null !=
"st": "", user?.customer &&
user?.customer?.id==4?'OU=Contractors,OU
"moveUsertoOU": "${null !
=NonEmployees,': ''}
= user?.customer &&
OU=Alumni,OU=Global,DC=BAIN,DC=com "
user?.customer?.id==2 ?
'OU=Contractors,OU=NonEmploye }
es,':
''}OU=Alumni,OU=Global,DC=BAIN
,DC=com"
}

7.2 Win-PS Connection Updates

Paramete Vlaue
r

Enable Old {"ENABLEACC":["script=E:\\\\\\\\Scripts\\\\\\\\Saviynt\\\\\\\\Production\\\\\\\\

account Value UseCase\\\\\\\\Move-FromAlumni.ps1 -samAccountName \\'${user.username}\\'
json -employeeType \\'${null != user?.customer ? user.customer.customername :
'Bain' }\\' -leaveStatus \\'${user.leaveStatus}\\' "],"SuccessResponses":

_____________________________________________________________________

22
 ["Success"]}

New {"ENABLEACC":["script=E:\\\\\\\\Scripts\\\\\\\\Saviynt\\\\\\\\ Production \\\\\\\\

Value UseCase\\\\\\\\Move-FromAlumni.ps1 -samAccountName \\'${null !=
user?.customer && user?.customer?.id==4 ? user.customproperty28 :
user.username}\\' -employeeType \\'${null != user?.customer ?
user.customer.customername : 'Bain' }\\' -leaveStatus \\'${user.leaveStatus}\\'
"],"SuccessResponses":["Success"]}

Old {"DISABLEACC":["script=E:\\\\\\\\Scripts\\\\\\\\Saviynt\\\\\\\\Production\\\\\\\\
Value UseCase\\\\\\\\Move-ToAlumni.ps1 -samAccountName \\'${user.username}\\' -
employeeType \\'${null != user?.customer ? user.customer.customername :
Disable 'Bain' }\\' -leaveStatus \\'${user.leaveStatus}\\' "],"SuccessResponses":
account ["Success"]}
json
New {"DISABLEACC":["script=E:\\\\\\\\Scripts\\\\\\\\Saviynt\\\\\\\\UAT\\\\\\\\
value UseCase\\\\\\\\Move-ToAlumni.ps1 -samAccountName \\'${null !=
user?.customer && user?.customer?.id==4 ? user.customproperty28 :
user.username}\\' -employeeType \\'${null != user?.customer ?
user.customer.customername : 'Bain' }\\' -leaveStatus \\'${user.leaveStatus}\\'
"],"SuccessResponses":["Success"]}

7.3 Exchange scripts Modification

Modify the following script to handle the BAN users.

E:\Scripts\Saviynt\Production\UseCase\Add-onpremmailbox.ps1.
Below is the modified script

7.4 Update Account Correlation rule

As some of the BAN users has different user name and AD samAccountName, to adopt such
accounts, the account correlation rule need to be modified.
Security system->Endpoint-> Active Directory
Edit User Account Correlation rule
_____________________________________________________________________

23
Add another basic rule as below
Customproperty28 = name
Repeat same for the Exchange endpoint.

8. Miscellaneous

8.1 Scheduling Jobs

Separate the Add access task from the “EnableADAccounts” job. Create a new job for the add
access with active directory as Endpoint and add in the “createAccounts” chain job.

8.2 Analytics for Delete accounts

Export the analytics created for deleting user accounts after 45 days of their end date.

Analytics name : Delete user Accounts after 45 days

_____________________________________________________________________

24