none
How to handle actions to perform on user delete? RRS feed

  • Question

  • What's the general consensus regarding how to perform activities outside of FIM when a resource is deleted? For instance, I have two custom workflows that do things to systems parallel to FIM on create and update of a user. I wanted to create a DELETE workflow that went off and did some things outside of FIM when the user was deleted, except I can't as the user has been deleted within FIM before the workflow fires so I can't access the attributes I need to perform the action (hence, post-processing).

    My thoughts go to sync engine extensions, but a MV rules extension won't tell you the action being performed on the object (guess I could query the FIM service for the object and if nothing comes back I know it's a delete, but this won't be efficient). I'd rather not have the functionality down-stream in one of the management agents, preferring to keep it as near to source as possible.

    Tuesday, November 20, 2012 3:38 PM

Answers

  • Thanks Bhavesh. Unfortunately though your suggestion won't work for my scenario as in this case the user is deleted in AD and therefore it's the FIM MA account that's deleting the user in FIM Service (and thus bypassing any authz workflows). The scenario where a user initiates a delete through the FIM Portal is supported by my solution, using an authorization workflow. The problem is specific to a user being deleted in AD first.

    I looked at an AD rules extension, hoping to use the Deprovision() method, but my tests don't show it being called when a user is deleted in AD. I'm still playing with it to see if it's a configuration issue.

    • Edited by Amethi Thursday, November 22, 2012 1:54 PM
    • Marked as answer by Amethi Thursday, November 22, 2012 3:24 PM
    Thursday, November 22, 2012 1:53 PM

All replies

  • One solution seems to be to break MS recommendations and perform the action in an authorisation workflow, as this is executed before the object is deleted. It's all I've got to go on at the moment so will give it a spin. I don't think a better design solution is going to come up unless MS add in a PreProcessing model for workflows.
    • Marked as answer by Amethi Tuesday, November 20, 2012 5:03 PM
    • Unmarked as answer by Amethi Wednesday, November 21, 2012 9:38 AM
    Tuesday, November 20, 2012 4:06 PM
  • Do authorisation workflows not fire for delete operations? I've got everything configured and can see the policy listed in the completed request but the code isn't firing. I've attached a debugger and it's not being hit.
    • Edited by Amethi Wednesday, November 21, 2012 10:09 AM
    Tuesday, November 20, 2012 5:17 PM
  • Ah, I think the problem is that the deletion is happening in AD and that delete request is flowing into FIM, and the sync engine user doesn't require any approval/authorisation for its requests, hence why it's not being hit. Most frustrating.
    • Marked as answer by Amethi Wednesday, November 21, 2012 4:24 PM
    • Unmarked as answer by Amethi Thursday, November 22, 2012 1:53 PM
    Wednesday, November 21, 2012 3:06 PM
  • Hi Amethi,

    How does user get deleted in your scenario? Is it a FIM portal UI or a custom UI? I would do...

    (1) add an attribute to /user let's say string attribute "DeleteStatus"

    (2)Now instead of delete resource request just update that attribute to something like "ReadyForDelete". Here from custom UI point of view it is delete request but internally it is update request.

    (3)Create a set "All users to be deleted after updating other systems" using the above attribute in set criteria.

    (4) Use the set created in 1st step to create a set transition in MPR to run your action WF with one additional activity which updates "DeleteStatus" attributes to something like "Delete". Here you should have single WF with all activities which updates other systems in addtion to last activity I mentioned. 

    (5) Create a transition out MPR for set created in 1st step to delete a user.

    I don't know your exact scenario but I would approach the above mentioned steps. If you are using FIM portal UI then it requires lots of RCDC editing to make above suggestions work.

    Thanks,
    Bhavesh

    Wednesday, November 21, 2012 4:31 PM
  • Thanks Bhavesh. Unfortunately though your suggestion won't work for my scenario as in this case the user is deleted in AD and therefore it's the FIM MA account that's deleting the user in FIM Service (and thus bypassing any authz workflows). The scenario where a user initiates a delete through the FIM Portal is supported by my solution, using an authorization workflow. The problem is specific to a user being deleted in AD first.

    I looked at an AD rules extension, hoping to use the Deprovision() method, but my tests don't show it being called when a user is deleted in AD. I'm still playing with it to see if it's a configuration issue.

    • Edited by Amethi Thursday, November 22, 2012 1:54 PM
    • Marked as answer by Amethi Thursday, November 22, 2012 3:24 PM
    Thursday, November 22, 2012 1:53 PM
  • I've worked it out, I'll just store the resource id in the external system as well and that's available after an object deletion in an action workflow. Luckily I can change the external systems schema.
    Thursday, November 22, 2012 3:21 PM