none
Do you know any solution to delete synched account IN ONLY ONE destination and remains the others in synch? RRS feed

  • Question

  • Hello guys,
    I have a scenario where I have to syncronize admin accounts from "A" domain (source AD domain) to a multiple destination AD domains("B","C","D" domains and do on...). I have create a sets where I specified which account should be synced to which destination domain. This set based on the description field if it contains the name of the destination domain ("B","C","D" ...) it will syncronize to this direction. For example if the user description in the source domain contains the "B" and "D" values in this case it will sync to B and D destination domains. I have created a syncronization rule for each destionation domain. After the syncronization cycle all account in metaverse got the proper ERE(s) and synced to the right place.
    And now comes my question... :) In case of the admin account doesn't support one of the environment anymore is it possible to remove the proper ERE from the object and delete the account only in one destination environment?
    Example: I have an admin account in "A" domain. I synced this account to "B" and "C" domain. Some time later the admin account is not support the "C" domain anymore. I remove the "C" value from the description of the account(with this action the set of the syncronization rule("C") doesn't contains the account anymore) but the ERE of the synchronization rule("C") is still in the expectedRulesList of the affected account in MV. After that the account is still in the "C" domain and all subsequent synhcronization is working(I suspect due to the ERE of the "C" synch rule in the object).

    If I delete an account in source domain it will delete the account in all associated destination domain as should.
    Do you know any solution to delete synched account ONLY IN ONE destination and remains the others in synch?

    Thank you in advance!

    Best regards,
    Tom

    Tuesday, April 4, 2017 8:19 AM

Answers

All replies

  • Hello,

    I assume your EREs will trigger an deprovisioning when removed and your MA deprovision config is set to delete an object if MV object is deleted.

    So if this is a one time operation, you can consider changing the MA behavior to disconnect only, then delete the admin, after processed by the MAs switch back to delete.

    If it is not one time and will happen in future, and users should be deleted but admins (or some admins) should be disconnected only you need to implement a rules extension on the MAs for deprovisioning.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, April 4, 2017 12:31 PM
  • Theoretically, what you are describing is out of the box functionality. Criteria changes, so does the end result.

    I think the implementation may not be done properly.

    Try one thing first, low cost, after the description is changed.

    Run a Full Import followed by a full sync in FIM MA.

    If this does not work, maybe you can put some screen shots of the sync rule and what the Metaverse Objects look like?


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, April 4, 2017 12:32 PM
  • Thank you for your reply!
    So to delete accounts i have configured the following ObjectDeletionRule:

    With this configuration when I delete an account in the source domain("A") it will delete all other objects(in MV, in FIM database and in the destination domains). It is working as designed. BUT I would like to delete account  in only one destination domain(e.g. in "B" domain) as well. Both deletion process should work. So I dont want to delete the the MV object just the object in the destination domain.

    The Management Agents Deprovisioning configured as below:


    I removed the "B" domain from the description of the object, synched to the MV and performed a full Import followed by a full sync in FIM MA.
    1. Before the modification of the Description Field:

    2. After the description change has been exported to the FIM database I performed a full import and full synch by FIM MA. Unfortunately I still can see the ERE in the users provisioning tab:


    And only the description of the object changed in the MV....


    Do you have any idea how can I remove this ERE and delete the account on the specified destinaton domain without delete the MV object?


    Wednesday, April 5, 2017 8:56 AM
  • Hi,

    understood better now.

    So you need to create a set/workflow/mpr combination and the workflow should trigger the remove from sync rule for the object.

    Or in other word you have to bring the object out of the scope of the sync rules, which removes the ERE.

    The Sync rule should have the "trigger deprovision" option set if the objects gets out of the rule.

    This will add a 2nd ERE first with "Entry Action" remove. And after procession both sync rules are removed.

    This is also described here: https://social.technet.microsoft.com/wiki/contents/articles/1270.understanding-deprovisioning-in-fim.aspx#Initiating_deprovisioning_by_using_a_synchronization_rule

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by supebutt007 Monday, April 10, 2017 6:23 AM
    Wednesday, April 5, 2017 6:03 PM
  • Thank you Peter. With this article i could solve my issue. From now the object deletion work as designed. :)
    Monday, April 10, 2017 6:23 AM