• State Suggested Answer
  • Replies 7 replies
  • Answers 3 answers
  • Subscribers 95 subscribers
  • Views 2946 views
  • Users 0 members are here
Options
Related

UNSAccountBInUNSGroupB in target system when XIsInEffect is set to false does not remove role when synchronizing

Wilke Jansoone
over 2 years ago

Hello,
I am configuring leaver flow. I configure the UNS and AD account definition to be retained when user is inactive and not to retain roles on manage level. For AD everything works OK. ADSAccountInADSGroup gets flag XIsIneffect set to false and group membership is removed in AD. Was expecting same behavior for UNS, but is not the case. I implemented a custom process for remove event for UNSAccountBInUNSGroupB, updated the logic to take into account the flag XIsInEffect. When I enter a leaving date on a Person and start the process 'Lock user accounts from dismissed employees.' all is OK for AD (as explained) and I indeed see that the custom removal process is triggered and the AdHocProjection step is executed. But in the end the role membership is not removed in the target system.
The provisioning for the UNS target system is correctly configured because role assignment and removal from the IT Shop correctly yields role membership assignment and removal.
I understand that it requires some specific logic because when a role (or group) membership is not in effect it actually still exists and adhoc projection would indeed decide that nothing needs to be done.
Thank you in advance for your advice.
Regards.
Mrs. Wilke Jansoone

Parents Reply Children
  • 0 over 2 years ago in reply to Wilke Jansoone

    Hi,

    The advice was to modify the pre-script as shown:

    And then:  Use the EntityPatch afterwards in the AdhocProjection step:

    It didn't come from me .... I'm just passing on the info.

    Hope it helps, Barry.

  • 0 over 2 years ago in reply to Barry Jackson

    Hello,

    Thank you Barry, I will try this, I notice the script you include does not calculate a value for NeedExecute,

    If Not evt.Equals("Insert",StringComparison.OrdinalIgnoreCase) Then
    values("NeedExecute") = not $XIsInEffect:Bool$ or DPR_NeedExecuteWorkflow(data("ProjectionConfigUID").ToString(),entity)
    End If

    In this example I added the check for XIsInEffect.

    Regards,

    Wilke

  • 0 over 2 years ago in reply to Barry Jackson

    Hello Barry,

    If I use the logic you mention and the original logic without the not $XIsInEffect:Bool$ condition, the roles are not removed. With both modifications present, the code you propose and the not $XIsInEffect:Bool$ condition, the roles are indeed removed from the custom target system.

    Pity I do not really understand what the code does :-).

    Thanks gain for you advice.

    Regards,

    Wilke

  • 0 over 2 years ago in reply to Wilke Jansoone

    Hello Wilke,

    can you show me the exact code you used? I have the same issue and would like to configure my process same as you did to see if it fix it for me.

    Thank you,

    Vito

  • 0 over 1 year ago in reply to Barry Jackson 

    If Not CBool(Connection.Variables("FULLSYNC")) AndAlso $FK(UID_UNSAccountB).FK(UID_UNSRootB).NamespaceManagedBy:String$.Equals("VISYNC",StringComparison.OrdinalIgnoreCase) Then
	Try
		Dim evt as String = EventName
		Select Case evt.ToUpperInvariant()
			Case "ASSIGN", "HANDLEOUSTANDING"
				evt="Insert"
			Case "REMOVE"
				evt="Delete"
		End Select
		
		If evt = "Delete" Then
			Dim thePatch = EntityPatch.Create(Entity, Session.MetaData(), DiffMode.AllContent)
			thePatch.Diff.Data.State = EntityState.ToDeletePhysical Or EntityState.Loaded Or EntityState.Deleted
			values("Patch") = thePatch.ToXml()
		Else
			values("Patch") = DPR_WrapObjectForProjection(Entity)
		End If
	Catch ex as Exception
		values("AdHocDataFound") = False
	End Try
End If

    I just came across this same issue still with 8.1.5. To help someone with typing later... here is the text version (worked for me):