• State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 1670 views
  • Users 0 members are here
Options
Related

Custom process executed or not depending on properties of Account definition

giuseppe denora_57852
over 3 years ago

Hello everyone,

in my lab with OIM 8.1.2, I have defined an Account Definition with:
"Retain account definition if permanently disabled" checked
"Retain account definition if temporarly disabled" checked

I defined a costum process with event DEACTIVATE-ADSAccount to send
emails to the employee's manager and other people when an employee
leaves the company or is temporarly disabled.

When an employee leaves the company, in OIM he becomes permanently deactivate
and its AD account is disabled  but my process is not executed.

if the Account Definition has the properties:
"Retain account definition if permanently disabled" UNchecked
"Retain account definition if temporarly disabled"  UNchecked

when an employee leaves the company, my process is executed.

I think this is a strange behaviour.

Giuseppe

Parents
  • 0 over 3 years ago

    Looks logical. According to You in second case AD account is disabled and so You get the mail. In first case AD account is not disabled!

    Move this process to Person table and trigger it on UPDATE and generation condition like

    Value = $IsInacive$ <> $IsInacive[o]$ and $IsInacive$ = True

    ...remeber that this is Identity management , and AD is just one of the target systems.

  • 0 over 3 years ago in reply to mekindad

    Hello mekindad,

    for the AD Accoount definition the properties "Retain account definition if permanently disabled" and "Retain account definition if temporarly disabled" checked or not, 

    the AD account is disabled in any case and this is correct: if an employee leaves the company  his AD account must be disabled.

     

    The properties "Retain account definition if permanently disabled" and "Retain account definition if temporarly disabled" are checked

    because I don't want the (deffered) deletion of the AD account when is disabled, but in this case the event DEACTIVATE-ADSaccount is not detected  which is an

    unwanted side effect.

     

     

      

     

  • 0 over 3 years ago in reply to giuseppe denora_57852

    The disabling of the user account is controlled by the settings in the manage level not by the account definition.

    You might want to check the settings there.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Hello Markus,

    The "Full managed" level used in the Account Definition has the following checked settings:

    Disable user accounts if temporarly disabled;

    Disable user accounts if permanently disabled;

    Disable user accounts if deletion is deferred

    Lock user account on security risk

    Retain groups if user account disabled.

    I verified more than once:

    when the properties of the Account definition has the settings

    Retain account definition if permanently disabled checked
    Retain account definition if temporarly disabled    checked

    and when the employee leaves the company: the employee is disabled, the AD account is disabled but the custom process is not executed at the event DEACTIVATE-ADSAccount.

    When the properties of the Account definition has the settings

    Retain account definition if permanently disabled unchecked
    Retain account definition if temporarly disabled    unchecked

    and when the employee leaves the company: the employee is disabled, the AD account is disabled and the custom process is executed at the event DEACTIVATE-ADSAccount.

    giuseppe denora_57852 said:
    costum process with event DEACTIVATE-ADSAccount to send

Reply
  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Hello Markus,

    The "Full managed" level used in the Account Definition has the following checked settings:

    Disable user accounts if temporarly disabled;

    Disable user accounts if permanently disabled;

    Disable user accounts if deletion is deferred

    Lock user account on security risk

    Retain groups if user account disabled.

    I verified more than once:

    when the properties of the Account definition has the settings

    Retain account definition if permanently disabled checked
    Retain account definition if temporarly disabled    checked

    and when the employee leaves the company: the employee is disabled, the AD account is disabled but the custom process is not executed at the event DEACTIVATE-ADSAccount.

    When the properties of the Account definition has the settings

    Retain account definition if permanently disabled unchecked
    Retain account definition if temporarly disabled    unchecked

    and when the employee leaves the company: the employee is disabled, the AD account is disabled and the custom process is executed at the event DEACTIVATE-ADSAccount.

    giuseppe denora_57852 said:
    costum process with event DEACTIVATE-ADSAccount to send

Children