none
Sending notification for approve before changing the DN RRS feed

  • Question

  • Hi,

    i am a beginner in administration of FIM  platform

    i need to have a workflow to approve the modification of DN of users.

    actually, and for AD Provisionning, we use a script and dll extension to calculate the DestinaoinOU for each account to create in Active Directory. the calculation is based of value in Human Resource Database, in some cases, the values are modified, and the corresponding AD account should be moved (according to the new values in HR database).

    i need to approve each modification for these account  before the move of these account.

    how can i do it ?

    Regards.

    Monday, December 7, 2015 9:40 PM

All replies

  • What kind of updates you get on DN and what is the logic, in plain English. 


    Nosh Mernacaj, Identity Management Specialist

    Monday, December 7, 2015 9:45 PM
  • Hi,

    I would advise to bring the "value in Human Resource Database" into the FIM scope. If you let FIM manage this attribute, we can act when this value changes and even approve the change before the new value is accepted by FIM.

    So if I understand correctly, you will have to configure an authorization workflow that needs approval to update the particular attribute. Then you can trigger the generation of a new DN based on this (changed) attribute. Make sure to look at the Powershell Activity available on codeplex. If you are using a powershell script to generate a DN, you can easily add it to the workflow with some minor changes and have your DN generated instantly after approving the new value.

    Since you are a FIM beginner, I suggest you look closely at the default "Owner Approval Workflow"-workflow and the default "Group Management Workflow: Owner Approval on add member"-MPR. Those will basicaly (with a few changes) do what you want in terms of approving the change. Add in a custom dll or powershell activity to generate the DN and you are all set!

    Good luck!


    Wouter Landuyt | IS4U FIM/MIM Expert Blog: blog.is4u.be

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!

    Wednesday, December 9, 2015 12:43 PM
  • Hi,

    thank you for your reply.

    in fact, we use a dll exception to calculate the DN of the user:

    this dll use an scalar function in the database server. (this function calculate the DestinationOU) based in a mapping table (this table contains the value from HR and the corresponding OU levels in Active Directory).

    since these values changes in HR (without updates in the mapping table); the users will be moved to the default OU. Before moving the users to the default OU (or any OU); i want to have a notification/approval message to do it or to allow this move of users.

    how can i use the "Owner Approval Workflow" ? can you give me an example plz?

    Regards.

    Wednesday, December 9, 2015 4:14 PM
  • You have 2 options to tranfser the logic from the "TT.Extension.dll"- rules extension to either a custom C# workflow activity or a powershell script that you run with a custom powershell activity.

    You will then have to create an MPR that triggers when changes are made to the HR attribute (in FIM) and link this to an approval workflow to approve the change of the HR attribute. Then after the approval launch the workflow that holds your TT.Extension.dll logic to generate a new DN (which also should be managed by FIM).

    Here you can find a detailed example on the approval & notification workflow

    It describes the scenario to approve a new user to a manually managed group, and can be implemented for your scenario (approve new value to HR attribute, which then launches another action workflow to generate the DN).

    Good luck!


    Wouter Landuyt | IS4U FIM/MIM Expert Blog: blog.is4u.be

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer. Thank you!

    • Proposed as answer by Wim Beck Friday, December 11, 2015 9:26 AM
    Thursday, December 10, 2015 2:18 PM