Hey,
I'm just wondering if it is possible to disable the ability to delete a user account, unless it has been deprovisioned.
Thanks,
SJ
Hey,
I'm just wondering if it is possible to disable the ability to delete a user account, unless it has been deprovisioned.
Thanks,
SJ
You could customize the Delete menu item for user objects in the web UI such that it checks to see if the edsvaDeprovisionStatus = 1
See Command Visibility Options this section of the documentation.
Have a look see and re-post here if you have further questions.
Alternatively, you could simply not grant delete permissions at all and make the deletion part of your deprovisioning policy - for example, such that objects that are deprovisioned get deleted the next day or whatever interval you want.
Command visibility options! Brilliant, thank you!
One further question on the same topic...
Could a workflow further apply granularity to this particular feature? I've been experimenting with that in our test env, but can't get it work...
... to use multiple if/else branches, examining edsvaDeprovisionStatus, one branch performing "Delete Object" if equals "1" ; the other performing "stop/break" (with notification "cannot delete" - not sure how to do that) if empty or not equal to "1".
I guess workflow can't be used for this?
You can go at this a couple of ways:
1) If / then else
2) By looking at this property of the "Workflow Target" in the bottom pane of the start conditions of your workflow and screening out objects where the value is not '1'
Hey JohnnyQuest ,
I've been trying to set this up with the following workflow, with no success. Admin is still able to delete without first deprovisioning, via ARS Web. Did I miss something?
Hey JohnnyQuest
I'm struggling to get the workflow working properly. The way it is set up it should block delete, if edsvaDeprovisionStatus <> 1 AND Initiator is member of ZZ-Test-GAM-A-Admins, but it is still allowing delete regardless. Am I missing something?
Links to screenshots of workflow...
put.c0r73x.net/93m8896n.png
put.c0r73x.net/52nzr6oa.png
put.c0r73x.net/x16fvv11.png
put.c0r73x.net/bxtz0fzj.png
put.c0r73x.net/48stt977.png
put.c0r73x.net/xkuorrnc.png
In the Initiator memberships, I think the logical operator should be 'contains' rather than 'equals'.