• State Suggested Answer
  • Replies 13 replies
  • Answers 5 answers
  • Subscribers 95 subscribers
  • Views 4948 views
  • Users 0 members are here
Options
Related

Update in field XIsInEffect of table ADSAccountInADSGroup

jroberto moreno
over 3 years ago

Hello,

I need to update the "XIsInEffect" field of the "ADSAccountInADSGroup" table. When an employee is deactivated I need to have the AD account activated and I add some AD groups and other groups are deallocated. These unassigned groups, if the employee is activated, you need to reassign them

My idea is update the "XIsInEffect" field of the "ADSAccountInADSGroup" table for deallocated. But i have the error:

You cannot change values of read-only objects.

Is it possible?

Greetings.

  • 0 over 3 years ago

    How did you change the XIsInEffet property as you deallocated the groups in the first place?

  • 0 over 3 years ago

    Hi,

    You absolutely should not touch XIsInEffect directly.

    You should use the flags on the manage levels to control this:

    In my case the retain groups flags are unchecked meaning that XIsInEffect will be set to 0 in these cases.  If you want to retain the group memberships you should check the retain groups boxes.  Note this is for ALL groups ... you cannot retain some and not others with this approach.

    These work off the AccountDisabled flag which OOB reacts to the IsInActive flag on the employee/identity.

    HTH, Barry.

  • 0 over 3 years ago

    Hi,

    Seems odd that the employee is deactivated but the AD account is active ...... I guess you have your reasons.

    If you want 'some' group memberships to be retained and others to be 'removed' ...... to be put back later on employee reactivation ...... it sounds like you need to have these memberships assigned by dynamic roles.

    HTH, Barry.

  • 0 over 3 years ago in reply to Barry Jackson

    I will explain it to you with an example.

    I have an active employee with their AD account and they have:

    - two groups of AD by direct assignment. This is because the employee requests it to System

    - Five groups of AD by indirect assignment. These groups are assigned using a dynamic role when a employee is activated

    Now the employee is disabled. Thus,

    - The five AD groups by indirect assignment are deallocated by the dynamic role.
    - Add two AD groups by indirect assignment. They add by a dynamic role that I have when a employee is desactivated
    - The groups AD by  direct assignment are deallocated. How can I deallocated these groups? I can not delete because if the employee is activated again, these groups are assign again

  • 0 over 3 years ago in reply to jroberto moreno

    Hi,

    Sorry but your example does not help.

    You said: "two groups of AD by direct assignment"

    Then you said: "Add two AD groups by indirect assignment. They add by a dynamic role that I have when a employee is desactivated"

    Why are the 2 direct assigned groups added by a dynamic role when the employee is deactivated?

    If the 2 groups are directly assigned and you want them removed when the employee is deactivated you would need to assign them via a dynamic role that is applied when the employee is active only ...... then delete the direct assignment ..... the indirect assignment will stay ..... and when the employee is deactivated the indirect assignments will be removed by the dynamic role.

    HTH, Barry.

  • 0 over 3 years ago in reply to Barry Jackson

    A employe can have assigned groups:

    - indirect allocation. These groups are assigned because I have a dynamic role that assigns or unassigns the groups based on the employee is active o desactive.

    - direct allocation. A employee can request tha assign of a group AD y the Administrator assign it directly in the AD y in the synchronization with One Identity it update.

    Now, if a employee is deactivated, the groups by indirect allocation are deallocate.

    How can i deallocate the groups by direct allocation? I can not delete it because if the employee is activated, these groups are assigned again

    Greetings.

  • 0 over 3 years ago in reply to jroberto moreno

    Hi,

    As previously advised:

    "If the 2 groups are directly assigned and you want them removed when the employee is deactivated you would need to assign them via a dynamic role that is applied when the employee is active only ...... then delete the direct assignment ..... the indirect assignment will stay ..... and when the employee is deactivated the indirect assignments will be removed by the dynamic role."

    And when the employee is activated again the groups will be re-assigned by the dynamic role.

    HTH, Barry.

  • 0 over 3 years ago in reply to jroberto moreno

    A solution for changing the XIsInEffect flag is proposed here https://www.oneidentity.com/community/identity-manager/f/forum/22330/event-assign-on-unsaccountbinunsgroupb-is-generated-outside-of-the-connection

    How to delete an object in a script is explained in the SDK on the product delivery <product delivery>\Modules\QBM\dvd\AddOn\SDK\ScriptSamples\03 Using database objects\17 Delete.vb

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    I have added to my script:

    Session.Variables("FULLSYNC") = True

    Session.Variables.Put("FULLSYNC", True)

    and my script is:

    Using uow = Session.StartUnitOfWork()
                            For Each colGroup As IEntity In groupsADObjects
                                
                                  
                                    colGroup.PutValue("XIsInEffect", False)
                                
                                    uow.Put(colGroup)
                                End If
                            Next
                        ' The entities will be saved here!
                           uow.Commit()
                        End Using

    but i have tha same error:

    [810222] Error executing script 'CCC_reviewCheckDate'.
[810371] You cannot change values of read-only objects.