none
Suspension of deleted accounts

    Question

  • I've been asked by clients on a number of jobs about whether it would be possible to do the following and frankly I have no idea where I'd begin.

    User accounts are pulled in from an enrolment database, passed through the FIM Portal and provisioned into AD. Is it possible that when these users are deleted from the enrolment database, they are moved to a different OU and marked as disabled in AD. Then after X number of days, if they haven't been re-created in the database, they are deleted from AD, however if at anytime within X days their record re-appears in the database, their account will be re-created.

    Any help / thoughts on this would be really very much appreciated.

    Wednesday, October 09, 2013 4:47 PM

Answers

  • Hello,

    sure this is possible, as this is one purpose of an IDM system.

    On disconnect from the Enrol DB set the delete date in MV, when date is set, apply the approp. SyncRules to Rename the Object (DN) and disable the account in AD.

    Create a set that applies to users which have delete time older then X days, use that set to deprovision users, which will then be deleted in AD MA, if de-provision is set correctly.

    On reconnect from Enroll DB, clear delete time attribute and user should transition again into normal account set and be renamed to normal container.

    I'have to face this also in near future at my current client, because this is currently done by rules extension, but i want that to migrate to Portal functions.

    There are other ways to do so I think, but Yes it is possible.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Wednesday, October 09, 2013 6:13 PM

All replies

  • Hello,

    sure this is possible, as this is one purpose of an IDM system.

    On disconnect from the Enrol DB set the delete date in MV, when date is set, apply the approp. SyncRules to Rename the Object (DN) and disable the account in AD.

    Create a set that applies to users which have delete time older then X days, use that set to deprovision users, which will then be deleted in AD MA, if de-provision is set correctly.

    On reconnect from Enroll DB, clear delete time attribute and user should transition again into normal account set and be renamed to normal container.

    I'have to face this also in near future at my current client, because this is currently done by rules extension, but i want that to migrate to Portal functions.

    There are other ways to do so I think, but Yes it is possible.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Wednesday, October 09, 2013 6:13 PM
  • Hi Peter,

    Thanks for your help.

    The part I'm unclear on is how I would a) set the date on the user's account when they disconnect and b) create a group with criteria that calculates the number of days a user has been disabled. Do you think you could point me in the right direction?

    Not sure how possible this is using portal functions, be great if it was.

    Thanks again

    Wednesday, October 09, 2013 11:33 PM
  • Hello

    My Clients environment is a Little bit different, we did a Change request to HD System to also get the deactivated/leaving employees, this is much easier to handle, and also more best practice because an object in mv should better have an connect to it's leading source.

    But you can Archive this anyway, like this i think:

    Create a 2 bool attributes in MV (isInAD, isInEnrollDB) and create a direct flow for them in the approp. MAs.

    Create a set with clause: isInAD is true and isInEnrollDB is not true use this in a TransitionIN MPR.
    (Maybe additional Attribute make sense to check if user exists but is not in enrollDB, but dont make decisions only on the Absence of attributes)

    Start a Custom Workflow (update resource activity) or use Powershell Activity to set the disable Date.

    for b)

    Create Set for users, clause: deleteTime Prior to xx days (that should work)

    Hope that helps. 
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    Thursday, October 10, 2013 9:03 AM