none
Employee End Date attribute flow for account deprovisioning RRS feed

  • Question

  • Hi All,

    At my current client, we read the HR data in the form of a file extract and use it for account provisioning and deprovisioning. In particular, the deprovisioning activity is triggered by the employee end date attribute which is supplied in the HR extract - when this end date passes the user object is disabled and moved to the disabled users OU. Further, we also flow this to the accountExpires AD attribute (coded a RE do to that)

    Now, the IT team have requested that they be able to overwrite this end date in the portal since sometimes the end dates in HR are incorrect, leading to disabling active users. We initially got around this by setting this attribute to equal precedence between the HR extract and the FIM portal (I know equal precedence is being deprecated in future releases, but thats a separate topic of discussion). Now this works fine, except that when we do a full import + full sync on the HR extract (once a day on a task schedule), it overrides the end date in the Portal with the HR data and the IT team have do again go an re-enable this account. They are looking for an option to permanently override the end date unitl it changes in the HR extract, in which case the HR extract date should be used.

    IF we use delta syncs all the time then this is fine and the last value changed will be the one used, however when we do a full sync on the HR MA then that value always overrides the FIM value. I tried to do a RE for this by trying to query the HR connector space object for the user to see when was the last modification time stamp of this attribute and if it is greater than the one in the metaverse then flow it in, however I cannot query the timestamp of the attributes in the CS.

    Any suggestions on how to best go about this?

    Thanks in advance and sorry for the long post!


    • Edited by kmittal82 Thursday, April 3, 2014 9:18 AM
    Thursday, April 3, 2014 9:17 AM

All replies

  • Update:

    I've got this working with a RE. Added a new attribute to the MV (say HREndDate) and flow in the end date from HR into both HREndDate. For employeeEndDate flow, theres a rules extension which checks the last contributing MA for employeeEndDate, and if its the FIM MA, then I check the time of contribution of this attribute. If this time is before the time being contributed my the HR MA for the HREndDate, then I override this attribute with the HR value otherwise leave it as it is. 

    Will put it through some more rigorous testing but it seems to work for now


    Thursday, April 3, 2014 11:06 AM
  • I sometimes add a few extra attributes in the FIM portal, called ie OverrideEndDate and CalculatedActualEndDate; then I create a workflow to calculate the ActualEndDate by picking the right one when either OverrideEndDate or HRDateChanges.

    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt


    Tuesday, April 8, 2014 8:30 AM
  • Thanks Soren, sounds like a good plan and a better implementation.
    Tuesday, April 8, 2014 8:32 AM
  • Great.

    Have a look at my Code Run workflow that may assist you in calculating the correct date - http://fimactivitylibrary.codeplex.com/wikipage?title=Code%20Run&referringTitle=Documentation

    Shameless plug, I know :-D


    Regards, Soren Granfeldt
    blog is at http://blog.goverco.com | facebook https://www.facebook.com/TheIdentityManagementExplorer | twitter at https://twitter.com/#!/MrGranfeldt

    Tuesday, April 8, 2014 8:35 AM
  • Not at all, your plugins have been a lifesaver!!
    Tuesday, April 8, 2014 8:37 AM