none
Deleting Users from the FIM portal RRS feed

  • Question

  • Hello,

    FIM has been deployed in an environment where it doesn't have permissions over all AD OUs. Some users have been moved out of an OU which FIM has control of and then moved back into the OU which has FIM ownership. FIM has been configured to not delete any users from AD, but just to disconnect users.

    I have an issue where some users have sync issues as they have duplicate accounts where they've been moved in and out of FIM OUs.

    What's the best way to deal with this scenario and how can I achieve it?

    Thanks

    Saturday, July 5, 2014 10:52 PM

Answers

  • Hello,

    sure you can delete object from Portal as it gets deleted from MV, from the MV side the Portal is just another MA. So set the "Delete object on the next export" option in the FIM MA is what you need.

    Thats how deleting normally works all the way in FIM.

    First select when object should be deleted from MV (object delete rule in schema) then decide what to do in the MA (disconnect or delete).

    The only thing you cant do in FIM MA is to use MA extension code like in all other MAs, so deleting objects in MV works for all object types in FIM MA.

    Point 2:Join Criteria depends on what you have in MV and AD, best option is alway an uniq ID, something that mostly dont change over lifetime, like EmployeeID or a corporate uniq lifetime ID.

    samAccountName for example may change on sn changes, with ADMT for example.
    I'm not quite sure if you can use the binary value objectSID as a criteria, but it should be stable enough to use if its possible, since it only changes when migrating objects to another domain for example.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Sunday, July 6, 2014 9:18 PM

All replies

  • Hello,

    I think you have 2 (oder maybe more) approaches, depends of how are objects connected to other MAs then AD and which MA is your leading source for objects:

    1. Adjust the MV delete rules for person objects to delete objects from MV if they are disconnected from AD MA. Project it again when it is moved back to the OU that FIM controls.

    2. Leave objects in MV and Portal when they are disconnected from AD and set proper join rules to reconnect them if they are moved back to the OU that FIM controls.

    If your objects are connected to other MAs then AD, i would try the 2nd option.

    Regards

    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Sunday, July 6, 2014 10:06 AM
  • Hi Peter,

     Would deleting from the MV delete the user from the FIM portal? Presumably this would just be selecting the deprovisioning option ont he FIM MA?

    On point 2, what would be the best join option to use? Would it be objectsid?

    Thanks

    Sunday, July 6, 2014 7:44 PM
  • Hello,

    sure you can delete object from Portal as it gets deleted from MV, from the MV side the Portal is just another MA. So set the "Delete object on the next export" option in the FIM MA is what you need.

    Thats how deleting normally works all the way in FIM.

    First select when object should be deleted from MV (object delete rule in schema) then decide what to do in the MA (disconnect or delete).

    The only thing you cant do in FIM MA is to use MA extension code like in all other MAs, so deleting objects in MV works for all object types in FIM MA.

    Point 2:Join Criteria depends on what you have in MV and AD, best option is alway an uniq ID, something that mostly dont change over lifetime, like EmployeeID or a corporate uniq lifetime ID.

    samAccountName for example may change on sn changes, with ADMT for example.
    I'm not quite sure if you can use the binary value objectSID as a criteria, but it should be stable enough to use if its possible, since it only changes when migrating objects to another domain for example.

    Regards
    Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Sunday, July 6, 2014 9:18 PM
  • Thanks Peter :-)
    Monday, July 7, 2014 8:00 AM