Identity & Access Management

Saviynt – Integrations & Enhancements

Document Owner: IAM – BAIN & Co Team

Document Version: 1.0

The content of this document is intended for IBM internal use only. None of this information shall
be divulged to persons other than IBM employees, or individuals or organizations authorized by
IBM in accordance with existing policy regarding release of company information.

________________________________________________________________________
Table of Contents
Document Control.....................................................................................................................................2

Purpose of this Document.......................................................................................................................2

Who Should Use the Document?...........................................................................................................2

Runbook for Implementing Temporary-users birth Rights provisioning............................................3

_____________________________________________________________________

1
Document Control
Summary of Changes
DOCUMENT HISTORY

Revision Revision Review and Nature of

Editors
Date Number Approved By Change

Original
IAM Team 1.0
Document

Purpose of this Document

This runbook has been created to details the steps involved in automating the birth rights (zero
day) provisioning for all type of temporary workers on-boarding through workday.

Who Should Use the Document?

This document should be used by:

 IBM Identity & Access Management Specialist Saviynt – BAIN.

_____________________________________________________________________

2
Runbook for Implementing Temporary-users birth Rights
provisioning

In-scope: Workday Contingent workers of below types.

a) OUT_Outsourced Agency Contractor
b) OUT_Outsourced Vendor Contractor
c) OUT_Outsourced Independent Contractor

Out-scope: Other contingent worker type than above mentioned.

Step1: Modify the following technical Rules in saviynt Admin UI.

Admin->Policies->Techinical Rules
1.

RuleName: Temp Workers - Create new User VEND

Advanced Query: (a.statuskey = 1) and (a.startdate <= adddate(curdate(), 14)) and

(a.employeeid is not null) and (a.leaveStatus is null) and (a.employeeclass not like 'Tier%')
and (a.customproperty22 = 'BAIN|NONEMP|VENDR') and (a.employeeType =
'OUT_Outsourced Vendor Contractor')

2.

RuleName: Temp Workers - Create new User Contractor/Independent

Advanced Query : (a.statuskey = 1) and (a.startdate <= adddate(curdate(), 14)) and (a.employeeid is not null)
and (a.leaveStatus is null) and (a.employeeclass not like 'Tier%') and (a.customproperty22 = 'BAIN|NONEMP|
AGENCY') or (a.customproperty22 = 'BAIN|NONEMP|INDEP') and ((a.employeeType = 'OUT_Outsourced
Agency Contractor') or (a.employeeType = 'OUT_Outsourced Independent Contractor'))

_____________________________________________________________________

3
Step2: Update “USER_IMPORT_MAPPING” section of below workday connections with
following mapping.

 Bain-Workday-NewHire-Nonemployee

 Bain-Workday-NewHire-Global

 Bain-Workday-Full

 Bain-Workday-Update-Global

"CUSTOMPROPERTY25":"Worker_Data.Employment_Data.Worker_Job_Data.Position_Organi
zations_Data.Position_Organization_Data(Organization_Data->Organization_Name=='Global
Regional').Organization_Data.Organization_Reference_ID".

Step3: Update “Modify user Json” filed of following workday connections

 Bain-Workday-NewHire-Nonemployee

"UPDATE NEWUSERDATA LEFT JOIN CURRENTUSERS ON

NEWUSERDATA.USERNAME = CURRENTUSERS.USERNAME SET
NEWUSERDATA.CUSTOMPROPERTY22 = CASE WHEN NEWUSERDATA.TITLE IN('BEL
Participant','BASE Participant','ADvantage Participant') THEN 'BAIN|NONEMP|INTRN' WHEN
NEWUSERDATA.employeetype = 'OUT_Outsourced Agency Contractor' THEN 'BAIN|
NONEMP|AGENCY' WHEN NEWUSERDATA.employeetype='OUT_Outsourced Vendor
Contractor' THEN 'BAIN|NONEMP|VENDR' WHEN
NEWUSERDATA.employeetype='OUT_Outsourced Independent Contractor' THEN 'BAIN|
NONEMP|INDEP' WHEN CURRENTUSERS.CUSTOMPROPERTY22 IS NOT NULL THEN
CURRENTUSERS.CUSTOMPROPERTY22 ELSE '' END"

Step4: Update following Ps scripts in the winps servers

Enhanced the function “exch-newMailByType” in “E:\Scripts\Saviynt\Development\UseCase\IGAExch.ps1”
function exch-newMailByType

_____________________________________________________________________

4
 param

[Parameter(Mandatory=$True)]

[string]$objSAM,

[Parameter(Mandatory=$False)]

[ValidateSet("C","V","I","A","BAN","RTN","BAE","BSG","STANDARD","TEMP",$null)]

[string]$Type

#added on 05-04-2023 to skip the trailing period character from the user firstname and lastname

$objUser = Get-ADUser -Identity $objSAM

#$givenName = $objUser.givenName -replace ('\.+$',"")

#$surName = $objuser.Surname -replace ('\.+$',"")

$givenName = $objUser.givenName -replace ‘[^a-zA-ZÀ-ú0-9-_!#^~]'

$surName = $objuser.Surname -replace ‘[^a-zA-ZÀ-ú0-9-_!#^~]'

if(($surName -like "") -and ($givenName -like "")){

"User's firstname and lastName are invalid"|Out-File -FilePath $outFile -Append

return

elseif($surName -like ""){

$prefix =$givenName

$prefix = $prefix.replace("'","").Replace(" ","")

elseif($givenName -like ""){

$prefix = $surName

$prefix = $prefix.replace("'","").Replace(" ","")

else{

$prefix = "$givenName.$surname" -replace ('\.\.','.')

$prefix = $prefix.replace("'","").Replace(" ","")

_____________________________________________________________________

5
}

$prefix = [Text.Encoding]::ASCII.GetString([Text.Encoding]::GetEncoding("Cyrillic").GetBytes($prefix))

$newmail = $null

$mailType = $Type.ToUpper()

switch ($type) {

BAN { $domain = "@bainadvisor.com"; $newmail = $prefix+$domain }

BAE { $domain = "@bainadvisor.com"; $newmail = "V-"+$prefix+$domain }

BSG { $domain = "@bridgespangroup.org"; $newmail = $prefix+$domain }

C { $domain = "@bain.com"; $newmail = "C"+"-"+$prefix+$domain }

V { $domain = "@bain.com"; $newmail = "V"+"-"+$prefix+$domain }

A { $domain = "@bain.com"; $newmail = "A"+"-"+$prefix+$domain }

I { $domain = "@bain.com"; $newmail = "I"+"-"+$prefix+$domain }

RTN { $domain = "@bain.com"; $newmail = "RTN"+"-"+$prefix+$domain }

TEMP { $domain = "@bain.com"; $newmail = "T-"+$prefix+$domain }

STANDARD { $domain = "@bain.com"; $newmail = $prefix+$domain }

default { $domain = "@bain.com"; $newmail = $prefix+$domain }

$i = 1

$check = $null

$filter = "proxyaddresses -like `"*$newmail*`""

$check = get-aduser -filter $filter -Properties mail

if ($check)

do

$i++

$newmail = $prefix+$i+$domain

$filter = "proxyaddresses -like `"*$newmail*`""

$checkmail = get-aduser -filter $filter -Properties mail

_____________________________________________________________________

6
 }until (!$checkMail)

return $newmail

Update following code in the script located : “E:\Scripts\Saviynt\Development\UseCase\

Add-onpremmailbox.ps1”

#Vednor users email generation

elseif ($employeeType -eq "OUT_Outsourced Vendor Contractor")

# Get unique email address

$check=Get-ADUser -Identity $samAccountName -properties mail

if(!($check.mail))

$email = exch-newMailByType $samAccountName "V"

else

$email=$check.mail

$objSAM = Get-ADUser -Identity $samAccountName

if ($objSAM) {

Set-ADUser -Identity $samAccountName -EmailAddress $email -UserPrincipalName $email

#ad-setLocation -objSAM $samAccountName

else {

" AD account not found: $samAccountName" | Out-File -FilePath $outFile -Append

_____________________________________________________________________

7
 return

#Independent and Contractor users Email generation logic

elseif ($employeeType -eq "OUT_Outsourced Agency Contractor")

# Get unique email address

$check=Get-ADUser -Identity $samAccountName -properties mail

if(!($check.mail))

$email = exch-newMailByType $samAccountName "A"

else

$email=$check.mail

$objSAM = Get-ADUser -Identity $samAccountName

if ($objSAM) {

Set-ADUser -Identity $samAccountName -EmailAddress $email -UserPrincipalName $email

#ad-setLocation -objSAM $samAccountName

else {

" AD account not found: $samAccountName" | Out-File -FilePath $outFile -Append

return

_____________________________________________________________________

8
}

elseif ($employeeType -eq "OUT_Outsourced Independent Contractor")

# Get unique email address

$check=Get-ADUser -Identity $samAccountName -properties mail

if(!($check.mail))

$email = exch-newMailByType $samAccountName "I"

else

$email=$check.mail

$objSAM = Get-ADUser -Identity $samAccountName

if ($objSAM) {

Set-ADUser -Identity $samAccountName -EmailAddress $email -UserPrincipalName $email

#ad-setLocation -objSAM $samAccountName

else {

" AD account not found: $samAccountName" | Out-File -FilePath $outFile -Append

return

_____________________________________________________________________

9
Step5: Modify the Create Account and Update Account Jsons in Active Directory connection.
Replace the existing attributes code with following changes.

"department": "${if(null != user?.customer && user.customer.id==4){'Bain Advisory Network'}

else{user?.departmentname}}",
"title": "${if(null != user?.customer && user.customer.id==4){'Bain Advisory Network'}
else{user?.title}}",

_____________________________________________________________________

10