locked
Object Deletion Rule RRS feed

  • Question

  • Hi ,

    I have a situation in which SQL is authrotative for creation/deletion of group in AD,i have configured object deletion rule for "group" object to Rule Extension.
    When a group is added to SQL table , it is projected to metaverse as "group" object and provisioned to AD connector space.
    Now when somebody manually deletes the group in AD , ShouldDeleteFromMV event fires and i am able to log object deletion.This works fine.

    Now the problem is

    If some body creates a group in AD say GR1 , i am projecting it to metaverse as "group" object , but not provisioning it to any connector space, so the metaverse entry is connected to AD connector space entry only, now if some body manually deletes the same group (GR1) which was created manually in AD, ShouldDeleteFromMV event does not fire and i am unable to log the object deletion in AD.

    Why does ShouldDeleteFromMV event doesn't fire , or i am doing mistake some where.

    Any help or insight will be appreciated.

    Regards
    Rishikesh Singh
    Friday, September 21, 2007 9:20 AM

Answers

  •  

    Rishikesh,

     

    if your objective is to detect a deletion in AD, the object deletion rule is not the optimal place for doing this.

    The optimal place is to do this as soon as MIIS has knowledge about a deletion, which is on import…

     

    You can configure a MA to generate a log file during an import.

    By parsing that log file for staged deletions, you can get and log the information you are looking for.

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

     

    Thursday, September 27, 2007 10:11 AM
    Moderator

All replies

  • Rishikesh,

     

    the object deletion rule always fires when a staged deletion for a connector is processed.

    However, if the deleted object was the last connector, the first option to delete the MV object when the last connector is gone is applied.

     

    This is by design. If the last connector is gone, there is nothing to be determined in a rules extension – the MV object MUST be deleted since a MV object requires at least one connector as “existents justification”.

     

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

     

    Friday, September 21, 2007 11:42 AM
    Moderator
  • Hi Markus,

    Thanks for your reply.

    But now my problem is how would i detect and log group deletion in AD, for those groups which are created manually in AD and deleted manually in AD , as these objects are only projected to metaverse ( only one connector connected ie AD Connector), also due to my business requirement i cannot provision it to my SQL connector space.

    Any help or insight will be appreciated.

    Reagrds
    Rishikesh Singh
    Monday, September 24, 2007 5:48 AM
  •  

    Rishikesh,

     

    if your objective is to detect a deletion in AD, the object deletion rule is not the optimal place for doing this.

    The optimal place is to do this as soon as MIIS has knowledge about a deletion, which is on import…

     

    You can configure a MA to generate a log file during an import.

    By parsing that log file for staged deletions, you can get and log the information you are looking for.

     

    Cheers,

    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

     

    Thursday, September 27, 2007 10:11 AM
    Moderator