none
About a deleted user's operation RRS feed

  • Question

  • Please let me ask a question.

    Synchronizing SQL Server Objects to AD using ILM2007.

    <Purpose>

    A:When a user is deleted from SQL, I would like to perform the following processings.

     1.UserAccountControl = 514;

     2.DN="OU=RetiredUser,OU=UserOU,DC=local.DC=com";

    B:It is made to Join when the user with same SamaccountName is created by SQL.

    <Tried contents >

    1.Deprovision coding ->MV delete ->B cannot

    2.Provision coding -> UserAccountContorol is read only ->A cannot
     #System.InvalidOperationException: attribute userAccountControl is read-only

    --------------------

    void IMVSynchronization.Provision (MVEntry mventry){
                ConnectedMA ma = mventry.ConnectedMAs["ADMA"];
                int ADMAconnect = ma.Connectors.Count;
                int SQLconnect = mventry.ConnectedMAs["SQL_User_MA"].Connectors.Count;
                    if (SQLconnect == 0 && ADMAconnect == 1)
                    {
                        csentry = ma.Connectors.ByIndex[0];

                        // Moves the disabled user account to another container.
                        string container = "OU=RetiredUser,OU=UserOU,DC=local.DC=com";
                        string rdn = "CN=" + csentry["samAccountName"].Value;
                        //csentry["userAccountControl"].Value = "514"; <error Point>
                        ReferenceValue dn = ma.EscapeDNComponent(rdn).Concat(container);
                        csentry.DN = dn;
                        //throw new UnexpectedDataException(rdn);
                    }
    }

    -------------------

      3.ADMA>Attribute Flow>rules extension coding.
        But User deleted from DB does not pass along Export Rule.

      -------------------
              void IMASynchronization.MapAttributesForExport (string FlowRuleName, MVEntry mventry, CSEntry csentry)
            {
              if(FlowRuleName == "UAC"){
                      //throw new EntryPointNotImplementedException(temp);
                        if (mventry.ConnectedMAs["SQL_User_MA"].Connectors.Count == 0)
                        {
                            csentry["userAccountControl"].Value = "514";
                        }
                        else {
                            csentry["userAccountControl"].Value = mventry["userAccountControl"].Value;                    
                        }
                     }
           }
    -------------------

    I am troubled very much.

    Aren't there any good methods?

    It will be saved if advice is got.


    • Edited by 梅崎 Sunday, July 14, 2013 12:53 AM
    Sunday, July 14, 2013 12:34 AM

Answers

  • The best approach I find to handle your requirement is NOT to delete the MV object when the SQL connector is deleted.  Your existing provisioning logic looks OK - this should fire on the disconnection OK.  I suspect your problem is not with your code but with your "UAC" advanced export flow rule - from memory you will need to select the <objectID> metaverse attribute in your selected attributes list for your flow rule to ensure it ALWAYS runs this code (since you always need SOME sort of metaverse change to trigger your code).

    A variation on your above approach might be to use a metaverse attribute with a value that is only ever contributed by your SQL MA - and use the removal of the value (can be a constant) from this property as a trigger for your export flow rule.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Marked as answer by 梅崎 Wednesday, July 17, 2013 9:30 AM
    Monday, July 15, 2013 3:29 PM

All replies

  • The best approach I find to handle your requirement is NOT to delete the MV object when the SQL connector is deleted.  Your existing provisioning logic looks OK - this should fire on the disconnection OK.  I suspect your problem is not with your code but with your "UAC" advanced export flow rule - from memory you will need to select the <objectID> metaverse attribute in your selected attributes list for your flow rule to ensure it ALWAYS runs this code (since you always need SOME sort of metaverse change to trigger your code).

    A variation on your above approach might be to use a metaverse attribute with a value that is only ever contributed by your SQL MA - and use the removal of the value (can be a constant) from this property as a trigger for your export flow rule.


    Bob Bradley (FIMBob @ TheFIMTeam.com) ... now using Event Broker 3.0 for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

    • Marked as answer by 梅崎 Wednesday, July 17, 2013 9:30 AM
    Monday, July 15, 2013 3:29 PM
  • Thank YOU UNIFYBob

    checkbox :check out
    Configure Deprovisioning> Do not recall attributes contributed by objects from this management agent when disconnected.

    MV attribute is not delete when SQL Data deleted.

    thank you very much 

    Wednesday, July 17, 2013 9:35 AM