Update in field XIsInEffect of table ADSAccountInADSGroup

Hi,

Seems odd that the employee is deactivated but the AD account is active ...... I guess you have your reasons.

If you want 'some' group memberships to be retained and others to be 'removed' ...... to be put back later on employee reactivation ...... it sounds like you need to have these memberships assigned by dynamic roles.

HTH, Barry.

I will explain it to you with an example.

I have an active employee with their AD account and they have:

- two groups of AD by direct assignment. This is because the employee requests it to System

- Five groups of AD by indirect assignment. These groups are assigned using a dynamic role when a employee is activated

Now the employee is disabled. Thus,

- The five AD groups by indirect assignment are deallocated by the dynamic role.
- Add two AD groups by indirect assignment. They add by a dynamic role that I have when a employee is desactivated
- The groups AD by  direct assignment are deallocated. How can I deallocated these groups? I can not delete because if the employee is activated again, these groups are assign again

I will explain it to you with an example.

I have an active employee with their AD account and they have:

- two groups of AD by direct assignment. This is because the employee requests it to System

- Five groups of AD by indirect assignment. These groups are assigned using a dynamic role when a employee is activated

Now the employee is disabled. Thus,

- The five AD groups by indirect assignment are deallocated by the dynamic role.
- Add two AD groups by indirect assignment. They add by a dynamic role that I have when a employee is desactivated
- The groups AD by  direct assignment are deallocated. How can I deallocated these groups? I can not delete because if the employee is activated again, these groups are assign again

Hi,

Sorry but your example does not help.

You said: "two groups of AD by direct assignment"

Then you said: "Add two AD groups by indirect assignment. They add by a dynamic role that I have when a employee is desactivated"

Why are the 2 direct assigned groups added by a dynamic role when the employee is deactivated?

If the 2 groups are directly assigned and you want them removed when the employee is deactivated you would need to assign them via a dynamic role that is applied when the employee is active only ...... then delete the direct assignment ..... the indirect assignment will stay ..... and when the employee is deactivated the indirect assignments will be removed by the dynamic role.

HTH, Barry.

A employe can have assigned groups:

- indirect allocation. These groups are assigned because I have a dynamic role that assigns or unassigns the groups based on the employee is active o desactive.

- direct allocation. A employee can request tha assign of a group AD y the Administrator assign it directly in the AD y in the synchronization with One Identity it update.

Now, if a employee is deactivated, the groups by indirect allocation are deallocate.

How can i deallocate the groups by direct allocation? I can not delete it because if the employee is activated, these groups are assigned again

Greetings.

Hi,

As previously advised:

"If the 2 groups are directly assigned and you want them removed when the employee is deactivated you would need to assign them via a dynamic role that is applied when the employee is active only ...... then delete the direct assignment ..... the indirect assignment will stay ..... and when the employee is deactivated the indirect assignments will be removed by the dynamic role."

And when the employee is activated again the groups will be re-assigned by the dynamic role.

HTH, Barry.

How can i delete by script?

A solution for changing the XIsInEffect flag is proposed here https://www.oneidentity.com/community/identity-manager/f/forum/22330/event-assign-on-unsaccountbinunsgroupb-is-generated-outside-of-the-connection

How to delete an object in a script is explained in the SDK on the product delivery <product delivery>\Modules\QBM\dvd\AddOn\SDK\ScriptSamples\03 Using database objects\17 Delete.vb

I have added to my script:

Session.Variables("FULLSYNC") = True

Session.Variables.Put("FULLSYNC", True)

and my script is:

Using uow = Session.StartUnitOfWork()
                        For Each colGroup As IEntity In groupsADObjects
                            
                              
                                colGroup.PutValue("XIsInEffect", False)
                            
                                uow.Put(colGroup)
                            End If
                        Next
                    ' The entities will be saved here!
                       uow.Commit()
                    End Using

but i have tha same error:

[810222] Error executing script 'CCC_reviewCheckDate'.
[810371] You cannot change values of read-only objects.

Where did you test this?

I execute the schedule "Lock accounts of employees that have left the company".

If a employees is deactivated, this execute a custom process and in this custom process, there is a step that it call to my script.

I have tested the delete and it work ok. Now, la account maintain the member of group in the AD haven't delete.

What can i make?