none
Email notification to admin when account is deprovisioned or disabled RRS feed

  • Question

  • Hi Guys,

    I am trying to set an email notification to Admin when account is deprovisioned from SQL or disabled in AD either through Rule Extension or Sync Rule. Any solution will be helpful.

    Regards


    Sarwar

    Wednesday, June 25, 2014 11:42 PM

Answers

    1. You have added this attribute to FIMSynch schema.
    2. You have added this attribute in FIMService schema.
    3. You have added binding to Person in FIM Service.
    4. You have added import flow from AD with UAC to this attribute.
    5. You have added export flow to FIM MA of UAC attribute.
    6. You have invoked FI -> FS on AD MA and verified that this attribute in FIM MA would be exported.
    7. You have exported attribute to FIM Service.

    Have you done all those steps? If not, please do them as those are needed to have attribute in FIM Service.

    Make sure you have at least one user with "514" to check the Set.

    And your set should be as here (make sure that you have picked "any"):

    I used Postal Code attribute as I don't have UAC attribute in my schema.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by naveeds Tuesday, July 1, 2014 2:10 AM
    Friday, June 27, 2014 6:57 AM
  • Sarwar,

    Have you flown the value of UAC attribute back from AD to FIM? If not, please flow the same value as Dominik suggested you. Post the attribute flow you will be able to find users in Set Criteria.


    Regards,
    Manuj Khurana

    • Marked as answer by naveeds Tuesday, July 1, 2014 2:10 AM
    Friday, June 27, 2014 12:47 PM

All replies

  • As you have written about both - Rule Extension and Sync Rule, I assume you have FIM Sync and FIM Service your environment.

    In such case I would rely on one attribute (let's say "whoDisabled") that could have three values - "NONE, RE, SR".

    • For standard active user it would have "NONE" as value.
    • If your Rule Extension would disable such user (on catch that it is deleted from SQL), this user would have "RE" as whoDisabled attribute.
    • If your Sync Rule would disable user, whoDisabled would be "SR"

    Now I would create 2 Sets:

    • Users with whoDisabled=RE
    • Users with whoDisabled=SR

    Now you create two Transition In MPRs for those sets and in MPR you specify workflow with email notification to Admin.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, June 26, 2014 5:38 AM
  • Thanks Dominik. Actually I am using ADMA Rule Extension to disable the account in AD when disconnected with my SQLMA. What I understood from your solution is that I have to create Custom Attribute "whoDisabled"  abd set criteria with three values (NONE, RE, SE) and then create two SETs and MPRs but I didn't understand how could I flow account disabled value ? because whoDisabled is custom recipient and I was trying to use userAccountcontrol attribute. I am not interested to use both Rule Extension and Sync Rule but one that work foe me.

    Sarwar

    Thursday, June 26, 2014 6:01 AM
  • Ok - now I know more about your solution :)
    Do you leave accounts in FIM Service once disabled in AD? If so, just create a set of those disabled users.

    To calculate if user is disabled in AD, just calculate it from userAccountControl. Then pass the value to FIMService.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, June 26, 2014 6:22 AM
  • Thanks Dominik again for your quick reply.

    Yes absolutely when account deleted in SQL, it disabled in AD and stayed in FIM. I am not an expert like you and struggling to do the above. I have successfully configured the notification if attribute changed but I couldn't find userAccountControl attribute to pass the value in SET like other attribute (for example department). Would appreciate if you can explore further :)


    Sarwar

    Thursday, June 26, 2014 7:06 AM
  • UserAccountControl isn't in the FIM schema by default so you won't be able to use it in a set definition. You can either use an existing attribute and link its value to userAccountControl or extend the FIM schema to hold userAccountControl and flow from the metaverse.
    Thursday, June 26, 2014 8:38 AM
  • Sarwar,

    We are doing this already by flowing User Account Control Back to FIM Portal. Hence after disablement the value changes to "514" which you can use in a set criteria and can trigger a Transition - In MPR by creating a mail notification workflow for this.

    But, to flow User Account Control Attribute, I suggest you to create a new custom attribute in FIM.


    Thanks, Manuj Khurana

    Thursday, June 26, 2014 10:57 AM

  • We are doing this already by flowing User Account Control Back to FIM Portal. Hence after disablement the value changes to "514" 

    Don't stick to 514 only, as it is not always true. You can have for example: 66050 - Disabled, password never expires

    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    Thursday, June 26, 2014 12:05 PM
  • This article shows how to get the AD account status and place it into the mv employeeStatus value.  From there I would create the disabled set and a transition MPR to send the email when a new disabled account enters the set.

    Thanks,

    Scott


    If this post has been useful please click the green arrow to the left or click Propose as answer

    Thursday, June 26, 2014 12:50 PM
  • Well, not sticking to only 514, you can try applying DRE with the attribute "User Account Control". you can use DRE in the set criteria which will confirm that users are disabled with FIM only and then you can use set transition MPR to trigger mail.

    Regards,
    Manuj Khurana


    Thursday, June 26, 2014 1:50 PM
  • Hi Manuj,

    Thanks for your solution and I have been trying the same but the issue as mentioned by Dave that UserAccountControl isn't in the FIM schema by default so you won't be able to use it in a set definition. As suggested to create a custom attribute in FIM which I have done as UserAccountControl but it doesn't show any user if you in a set criteria like userAccountControl=514/512/66048/66050/66080/66082.

    Any suggestions please !


    Sarwar


    • Edited by naveeds Friday, June 27, 2014 1:18 AM Add More
    Friday, June 27, 2014 12:53 AM
    1. You have added this attribute to FIMSynch schema.
    2. You have added this attribute in FIMService schema.
    3. You have added binding to Person in FIM Service.
    4. You have added import flow from AD with UAC to this attribute.
    5. You have added export flow to FIM MA of UAC attribute.
    6. You have invoked FI -> FS on AD MA and verified that this attribute in FIM MA would be exported.
    7. You have exported attribute to FIM Service.

    Have you done all those steps? If not, please do them as those are needed to have attribute in FIM Service.

    Make sure you have at least one user with "514" to check the Set.

    And your set should be as here (make sure that you have picked "any"):

    I used Postal Code attribute as I don't have UAC attribute in my schema.


    If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

    • Marked as answer by naveeds Tuesday, July 1, 2014 2:10 AM
    Friday, June 27, 2014 6:57 AM
  • Sarwar,

    Have you flown the value of UAC attribute back from AD to FIM? If not, please flow the same value as Dominik suggested you. Post the attribute flow you will be able to find users in Set Criteria.


    Regards,
    Manuj Khurana

    • Marked as answer by naveeds Tuesday, July 1, 2014 2:10 AM
    Friday, June 27, 2014 12:47 PM
  • Thanks Dominik and Manuj, All works fine now with the help of you guys.

    Sarwar

    Tuesday, July 1, 2014 2:11 AM