• State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 641 views
  • Users 0 members are here
Options
Related

Attestation (System Entitlement Memberships) Deny decision does not remove the membership from employee OIDM - 8.1.2

danny chew
over 3 years ago

Hi,

I created a custom Attestation policy from the copied of System entitlement memberships attestation. I triggered the Attestation policy on an employee.

I selected Deny as the decision. However, the UNSGroupB does not removed from the employee's UNSAccountB.

I have checked through the Configuration parameters - QER\Attestation\AutoRemovalScope\UNSGroupInUNSGroup\RemoveDirect is enabled.

May I know where else I need to check, in order for the membership to be removed from the employee, after the deny the attestation?

Thanks.

  • 0 over 3 years ago

    Hi,

    What is the base object defined on your attestation procedure?  If it's UNSAccountBInUNSGroupB it's not going to work.  The OOB auto removal script only targets the UNS namespace.

    So if you want to attest ADSAccountInADSGroup or UNSAccountBInUNSGroupB you have to target UNSAccountInUNSGroup and further filter using the domain and/or the namespace.

    As you can see the AutoRemovalScope config parms target UNS objects.

    HTH, Barry.