• State Suggested Answer
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 13532 views
  • Users 0 members are here
Options
Related

Synchronization Service - Step Handlers

todd harrison
over 4 years ago

Hi,

We just recently implemented the Active Roles Synchronization Service in our organization to aid in employee onboarding.

I am wondering what the "Step Handlers" can be used for? The documentation says the following:

"Sync workflow step handlers allow you to automatically perform custom actions either before running a workflow step or after the workflow step run results have been committed (written) to the data system. Out of the box, Synchronization Service includes a single predefined handler type that can automatically execute your custom PowerShell script and thus perform the desired action."

 

I was hoping to be able to use this to read the data collected from our HR software, check a specific attribute we are receiving from that system, and if it is set to a specific value, trigger an alert.

I tried using the $Srcobj hash table that is detailed in the documentation, but this appears to be only be available in the "Creation Rules".

Is there a way to reference objects in the source location from scripts running in the "Step Handlers" step?

 

Cheers

Parents
  • 0 over 4 years ago

    • Thank you for your incredibly detailed response. I am not going to lie, it went a little over my head.
    • The "source" or "HR" data is a DB. I unfortunately do not have any control over the data coming from the DB. 
    • I wish I could post screenshots easily as it would be slightly easier to explain, I will try and give additional details below.

    • Cool name!
    • I will try and provide more detail below.

    Details about our environment

    • Source: Database
    • Target: ARS/AD

    Creation Step

    • We have a step that takes users from the DB and creates them in ARS/AD.
    • This step has a filter. Attribute_A = Employed, Attribute_B = true

    What I would like to do

    • Any user that has the following: 
      • Attribute_A = Employed
      • Attribute_B = false
      • This means the user will not be created
    • A notification will be sent to the HR department with details about the user explaining that there is an issue with the provided details and it will not be created.

    I thought I might be able to use a Step Handler to trigger this alert. Preferably, if I could send the alert prior to any commits, that would be great. But it could also happen after the fact.

    I am just looking for a way to trigger some sort of alert based on the data that the Sync Service is reading from the source. If this can also be accomplished while the "creation step" is actually running. That would be great as well.

    I created a simple script to basically demonstrate what I would want to do collect and then send:

    $strSourceFname=$srcObj["First_Name"]
$strSourceLname=$srcObj["Last_Name"]
$strSourceOffice=$srcObj["Office_Location"]
$strSourceEmployeeID=$srcObj["Personnel_Number"]
$strSourceDataV=$srcObj["Data_Validation"]

$body = "First Name: " + $strSourceFname
$body += "Last Name: " + $strSourceLname
$body += "Office: " + $strSourceOffice
$body += "EmployeeID: " + $strSourceEmployeeID

If ( $strSourceDataV -eq "false" )
{
     Send-MailMessage -From "some email" -To "some email" -Subject "Clean Data" -SmtpServer 'some server' -Body $body
}

    Maybe Step Handler isn't the right place to do something like this?

  • 0 over 4 years ago in reply to todd harrison

    One approach to this is to clear all other Synchronization Scope filtering (at the connection level) as well as Creation Criteria conditions (at the Provisioning step level) and write a customer PowerShell script to analyze the source data and make the determination if the object should be created or skipped and an alter sent out.

    Here is a very crude sample script I wrote to demonstrate how you might accomplishing this. You add this script to the Source section in the Provisioning workflow step. Expand Creation Criteria and click Add condition in the "Source objects must meet these conditions". Click the down arrow next to Attribute and select "PowerShell Script". Use the script below modified with your script to get the results you want. My script simply logs to a file, but use your Send-MailMessage cmdlet to send an email. Just be sure to set the proper return value. Then back on the "Add Condition" screen, select "Is Exactly" and enter the return value that the script is returning if you want the object to be created, "True" in my example. Otherwise, if the value is not True then the record will be skipped.

    # Retrieve the data validation from the source object
    $DataValidation = $srcobj["extensionAttribute1"]
    if ( $DataValidation -eq "True" )
    {
       # This object is to be created, set provision filter value to True
       $ProvisionCondition = "True"
    }
    Else
    {
       # Value is something other than True, obtain other object data and send alert, or log to file...
       $FN = $srcobj["givenName"]
       $LN = $srcobj["sn"]
       # Log to output file, send alert... and set provision filter to False to skip this record
       $FN + " " + $LN + " has been skipped" | Out-File "C:\Logging\SyncService_usersskipped.log" -append
       $ProvisionCondition = "False"
    }
    # Return Creation Criteria value
    $ProvisionCondition
  • 0 over 4 years ago in reply to Richard.Lambert

    This is a very intriguing solution and is fairly easy to implement.

    I will definitely give this a try.

    Give me a little time to implement and I will update this thread once tested.

    Cheers

    Side note, One Identity should allow screenshots to be directly uploaded to their forums. It would make communicating issues and solutions a lot easier in my opinion!

  • 0 over 4 years ago in reply to Richard.Lambert

    That's correct. Provision (Update, Terminate) Job Step | "Source Object Must Meet the Criteria" filtering. Example IF "Contract End Date" < Today THEN do not create, do not update, Deprovsion.

  • 0 over 4 years ago in reply to Richard.Lambert

    Hi Richard,

    Sorry I haven't responded in forever, I am just curious if there is a way to reference the target object?

    You reference the source object using "$srcobj". I am curious if there is something similar to reference the target object?

    Cheers

Reply Children