Allow Delegated IT Staff to Unmap Accounts (Synchronization Service) or Script it

Hello Josh,

These resources should be useful:

Title: Scheduling or automating an "Unmap"
Solution: 211844
URL: support.oneidentity.com/.../211844

Title: HOW TO: Importing the Active Roles Synchronization Service Management Shell module into PowerShell scripts
Solution: 231365
URL: https://support.oneidentity.com/kb/231365

-Terrance

Hi Terrance,

Do you have a different link for solution 211844? It doesn't appear to be valid. From the title, it does look like exactly what I am looking for.

Thanks,

Josh

Josh,

Sorry, someone marked that solution as "Internal" and I overlooked it.

It should be public, but I cannot correct that at the moment. Instead, here are the contents of that solution:

• Title

  Scheduling or automating an "Unmap"

• Description

  Mapped data in Quick Connect and the Active Roles Synchronization Service is cumulative, and only removed by an Unmap. In some processes, if the mapped attribute is changed post-mapping (which is not a best-practice), then this may lead to the product losing data integrity. An automated Unmap is a possible workaround for these types of issues, although a process redesign is recommended as a true fix, if possible.

• Cause

  At this time, there is no option in the Quick Connect or the Active Roles Synchronization Service which allows for a scheduled Unmap action.

• Resolution

  It is possible to leverage the Quick Connect or Synchronization Service Management Shell in order to automate or schedule an Unmap.

  The below PowerShell script is provided as a Proof of Concept, and might be used as a model for a solution which addresses this need.

  This script leverages a Active Roles source connection called "ARS" and a SQL target connection called "SQL" and unmaps objects of type "User" which are mapped to associated objects of type "SQL-Object".

  ' ===================================================  
  ' DISCLAIMER
  ' *****************************************************************************
  ' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
  ' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
  ' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE
  ' *****************************************************************************
  
  function getMappedObject($userObject){
  
      $mappedObject = Get-QCMappedObjects -QCObject $userObject | where-object{($_.ConnectionName -eq "SQL") -and ($_.ObjectType -eq "sql-object")} #Target connection name and object class
      return $mappedObject
  }
  
  function main(){
  
      Write-Host "Unmapping objects..."
      $count = 0
      $conn = Get-QCObject -Connection "ARS" -ObjectType "User" #Source connection name and object class
  
          $conn | ForEach-Object{
          $mapped = getMappedObject $_
      
      
          if ($mapped){
              $count += 1
              Start-QCObjectUnmap -QCObject1 $_ -QCObject2 $mapped | Out-Null
          }
      }
  
      Write-Host "Unmapping complete."
      Write-Host "$count objects unmapped."
  }
  
  main

Has there been any update to this?

I have corrected the above solution and made it public. The script is still valid for recent versions of Active Roles Synchronization Service and Quick Connect.

It could also be modified to selectively un-map specific objects only.