• State Not Answered
  • Replies 7 replies
  • Subscribers 93 subscribers
  • Views 1998 views
  • Users 0 members are here
Options
Related

Exclude some AD groups from automatic removal due to expired employee's exitdate

Wilke Jansoone
over 2 years ago

Hello,

I am using OIM 8.1.4.

One of the functional requirements of my company is that when an employee's exit date is reached, that all AD group memberships are removed except a limited number of special assignments (O365 related).

In our configuration the employees get their AD group memberships via either:

- Employee => Business Role => System Role => AD Group(s)
- Employee => System Role => AD Group(s)

I initially thought I could manage this by setting the XOrigin flag for the special AD group assignments to 3 (indirect + direct) and then when OIM executed the removal process (manage level's retain group settings are not enabled) it would take into account this flag and leave these direct group memberships.

Unfortunately this is not what happens, all the groups are removed irrespective of the XOrigin flag. It seems that the removal of the AD groups dictated by the manage level's retain group settings does not take into account the XOrigin flag. After the processes have done their job, I see in the object browser that the employee still has the business roles assigned, the system roles are assigned (XIsInEffect: true) and the ad groups are also still assigned  (XIsInEffect: false).

So my question is, can you advise me how I can configure the system or implement a process that ensures that the AD group removal process is able to exclude a number of special AD group assignments of being removed. So it seems a small extension on the existing OOB processes but have no idea how to tackle.

Many thanks in advance for your assistance.

Regards,

Mrs. Wilke Jansoone

Parents
  • 0 over 2 years ago

    One idea is to do this via MatchPatternForMembership.

    That means: The TSBBehavior is configured so that memberships are always retained.

    The categories [0] "NormalGroup" and [1] "KeepGroup" are defined for "Group", above which the (manual) identification of the groups takes place.

    For "Account" there are the categories [0] "InheriteNormalGroups" and [1] "InheriteKeepGroups". These are set on the accounts using a template.

    First of all, all accounts have set [0] and [1]. For example, if an account is disabled, [0] is removed. The account then loses all inherited NormalGroups and only keeps the KeepGroups.

    BUT: This only works for inherited groups. 

    Solution: You need to build a process that converts all direct membership into orders for terminated users.

    It's not as small as you might have hoped     but it should work.

  • 0 over 2 years ago in reply to Markus Weiss-Ehlers

    Hello Markus,

    Thank you for your feedback. Although I do not yet understand what you are telling me, it seems interesting. I tried to look for more information on the concept of MatchPatternForMembership but could not find much of that. Can you point me to a reference page that tells me more about MatchPatternForMembership?

    Thank you in advance.

    Regards,

    Wilke

Reply
  • 0 over 2 years ago in reply to Markus Weiss-Ehlers

    Hello Markus,

    Thank you for your feedback. Although I do not yet understand what you are telling me, it seems interesting. I tried to look for more information on the concept of MatchPatternForMembership but could not find much of that. Can you point me to a reference page that tells me more about MatchPatternForMembership?

    Thank you in advance.

    Regards,

    Wilke

Children