Create Identities for Disabled Users.

I performed an import from Active Directory into the OneIDentity ver 9.2 database. Identities were automatically created for enabled accounts but for disabled accounts the identity was not created.
In the Designer I had checked the "PersonAutoDisabledAccounts" item following this article support.oneidentity.com/.../automatic-assignment-of-employees-to-user-accounts-not-working but the identities are not were created. How do I create them?

Top Replies

Parents
  • I assume you checked the configuration parameter TargetSystem | ADS | PersonAutoDisabledAccounts ?

  • no the article refers to this path

    4. Expand "TargetSystem" | "UNS" and select "PersonAutoDisabledAccounts"

  • Hi Graziano,

    Assuming you already checked it after Markus's comment... (But mostly for anyone with less experience who might read this);

    UNS stands for 'UnifiedNameSpace' that includes well, the generic namespace. However certain systems with a very high level of integration (think ADS, SAP, AAD etc) have their own configuration next to / instead of the UnifiedNameSpace.

    So given you're importing Active Directory (one of those systems) you should set the ADS specific configuration.

    Why does a system like ADS have a specific configuration for this? I'm not one of the developers so it's always a bit of a guessing game... However in practice I've seen that if a target system is used as a 'source' to create identities Active directory is one of the common ones (while most generic UNS systems aren't). So that's probably why this can be configured separately for ADS.

  • I had set the "PersonAutoDisabledAccounts" flag under UNS and not in ADS. But now that the accounts have been imported without an identity, how can I create it?

  • You just run the sync again. The processes will run identify all unlinked AD user account and try to link them to an identity (or create one).

  • Why does a system like ADS have a specific configuration for this? I'm not one of the developers so it's always a bit of a guessing game... However in practice I've seen that if a target system is used as a 'source' to create identities Active directory is one of the common ones (while most generic UNS systems aren't). So that's probably why this can be configured separately for ADS.

    Jos is spot on here. First and most important, many customers using (or have used) AD as source for their identities (Might need to add, if they are not having proper HR feeds available). Secondly, the configuration parameters underneath UNS are not for the generic UNS tables but for the UNSB ones. Let's call them custom target systems in general. And last but not least, we have seen different sources for the identities at each customer and having the configuration parameters available for different types of target systems allows to control the behavior easily.


  • Thanks Markus I did as you told me and the identities of the disabled accounts were created. 

Reply Children
No Data