• State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 1679 views
  • Users 0 members are here
Options
Related

Custom process executed or not depending on properties of Account definition

giuseppe denora_57852
over 3 years ago

Hello everyone,

in my lab with OIM 8.1.2, I have defined an Account Definition with:
"Retain account definition if permanently disabled" checked
"Retain account definition if temporarly disabled" checked

I defined a costum process with event DEACTIVATE-ADSAccount to send
emails to the employee's manager and other people when an employee
leaves the company or is temporarly disabled.

When an employee leaves the company, in OIM he becomes permanently deactivate
and its AD account is disabled  but my process is not executed.

if the Account Definition has the properties:
"Retain account definition if permanently disabled" UNchecked
"Retain account definition if temporarly disabled"  UNchecked

when an employee leaves the company, my process is executed.

I think this is a strange behaviour.

Giuseppe

Parents
  • 0 over 3 years ago

    Looks logical. According to You in second case AD account is disabled and so You get the mail. In first case AD account is not disabled!

    Move this process to Person table and trigger it on UPDATE and generation condition like

    Value = $IsInacive$ <> $IsInacive[o]$ and $IsInacive$ = True

    ...remeber that this is Identity management , and AD is just one of the target systems.

  • 0 over 3 years ago in reply to mekindad

    Hello mekindad,

    for the AD Accoount definition the properties "Retain account definition if permanently disabled" and "Retain account definition if temporarly disabled" checked or not, 

    the AD account is disabled in any case and this is correct: if an employee leaves the company  his AD account must be disabled.

     

    The properties "Retain account definition if permanently disabled" and "Retain account definition if temporarly disabled" are checked

    because I don't want the (deffered) deletion of the AD account when is disabled, but in this case the event DEACTIVATE-ADSaccount is not detected  which is an

    unwanted side effect.

     

     

      

     

  • 0 over 3 years ago in reply to giuseppe denora_57852

    The disabling of the user account is controlled by the settings in the manage level not by the account definition.

    You might want to check the settings there.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Hello Markus,

    The "Full managed" level used in the Account Definition has the following checked settings:

    Disable user accounts if temporarly disabled;

    Disable user accounts if permanently disabled;

    Disable user accounts if deletion is deferred

    Lock user account on security risk

    Retain groups if user account disabled.

    I verified more than once:

    when the properties of the Account definition has the settings

    Retain account definition if permanently disabled checked
    Retain account definition if temporarly disabled    checked

    and when the employee leaves the company: the employee is disabled, the AD account is disabled but the custom process is not executed at the event DEACTIVATE-ADSAccount.

    When the properties of the Account definition has the settings

    Retain account definition if permanently disabled unchecked
    Retain account definition if temporarly disabled    unchecked

    and when the employee leaves the company: the employee is disabled, the AD account is disabled and the custom process is executed at the event DEACTIVATE-ADSAccount.

    giuseppe denora_57852 said:
    costum process with event DEACTIVATE-ADSAccount to send

  • 0 over 3 years ago in reply to giuseppe denora_57852

    The event "Deactivate" is part of a deferred deletion of an object and is fired when you are trying to delete an object that has a delete delay > 0 configured at the DialogTable for this type of object. And exactly this is happening, if you configure the "Retain account definition..." flags to false. In that case, the system is removing the account definition from the employee and this leads to an deletion of the account. Because a delete delay of 30 days is configured (by default), thesystem first disables the account, creates a deferred delete operation to be run in +30days and fires the DEACTIVATE event.

    If the "Retain account definition..." flags are set to true, then the account is disabled because of the settings at the manage level.

    So back to the solution of mekindad, and change the process to listen on the person change, or attach it to the Update event and use a generation condition that listens to the change of the AccountDisabled flag to True.

    https://support.oneidentity.com/technical-documents/identity-manager/8.1.4/target-system-base-module-administration-guide/6#TOPIC-1533556

Reply Children
No Data