none
Scoped variable -deprovisioning in AD

    Question

  • All,

    Would I be able to do a scoped provisioning and deprovisioning for AD? If yes, what is the rule for deprovisioning?

    Thanks,

    Thursday, May 02, 2013 11:38 PM

Answers

  • In portal, sync rule, scope tab, using inbound and outbound scoping filter

    Those won't buy you deprovisioning. If you want to do declarative deprovisioning, you have to use the legacy RTM style sync rules with EREs. You would configure a Sync Rule workflow activity (and associated set/MPR pair) to 'Remove' the Sync Rule from the target object. This will trigger whatever deprovisioning behavior you have setup on the properties of the MA.

    If you want to do deprovisioning with R2 filter based OSRs, you will need to use traditional provisioning code.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Saturday, May 04, 2013 4:09 PM
    Moderator

All replies

  • It seems that you wish to Provision/De-Provision users in AD basis some flag value from Database table, Source or FIM portal. If so your structure would be something like this for eg.:

    Provisioning Flag : FIM_Provision=Y   (If it's "Y" then provision to AD as an active)

    De-Provisioning Flag : FIM_Provision="N" (If it's "N" then de-provision from AD and me it inactive)

    1. Create a set for users with FIM_Provision="Y" OR FIM-Provision="N"

    2. In Synchronization Rule check if it's "Y" > userAccountControl=512

                    else userAccountControl=514

    I guess this will help you.


    Regards~
    Deepak Arora
    -------------------------------------
    If you Find the Answer | Article | Blog Helpful Please Vote As Helpful / Mark As Answer



    • Edited by DeepakArora Friday, May 03, 2013 6:29 AM
    • Proposed as answer by GirirajSingh Friday, May 03, 2013 5:26 PM
    Friday, May 03, 2013 12:32 AM
  • Thanks for your reply. I want to delete the account from AD using scope not just disable it.
    Friday, May 03, 2013 2:12 AM
  • Oh,

    Well I am not sure if there is any direct way of doing it, however, if I was at your place then I would have played with FIM a bit using EmployeeEndDate attribute.  Following is the eg.

    1.  In Import method in data source rule extension check your Disable Flag value

    if(de-provision=="Y")

    then set

    mventry["employeeeEndDate"].value=datetime.now.adddays(-1).tostring("yyyy-MM-ddTHH:mm:ss.000");

    2. Set export flow from FIMMA for EmployeeEndDate from Metaverse to FIM Portal

    3. then Follow the below link:

    http://microsoftiam.blogspot.in/2010/11/fim-2010-delete-user-when-end-date-is.html

    4. Configure Deletion Rule for Metaverse in Metaverse Designer 

    5. Configure Stage Deletion in ADMA Properties. 

    There you go............. :)


    Regards~
    Deepak Arora
    -------------------------------------
    If you Find the Answer | Article | Blog Helpful Please Vote As Helpful / Mark As Answer



    • Edited by DeepakArora Friday, May 03, 2013 6:29 AM
    • Proposed as answer by GirirajSingh Friday, May 03, 2013 5:26 PM
    Friday, May 03, 2013 6:16 AM
  • What do you mean by 'scoped'?

    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Friday, May 03, 2013 11:31 PM
    Moderator
  • In portal, sync rule, scope tab, using inbound and outbound scoping filter
    Saturday, May 04, 2013 12:48 AM
  • In portal, sync rule, scope tab, using inbound and outbound scoping filter

    Those won't buy you deprovisioning. If you want to do declarative deprovisioning, you have to use the legacy RTM style sync rules with EREs. You would configure a Sync Rule workflow activity (and associated set/MPR pair) to 'Remove' the Sync Rule from the target object. This will trigger whatever deprovisioning behavior you have setup on the properties of the MA.

    If you want to do deprovisioning with R2 filter based OSRs, you will need to use traditional provisioning code.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com

    Saturday, May 04, 2013 4:09 PM
    Moderator