• State Verified Answer
  • Replies 4 replies
  • Subscribers 95 subscribers
  • Views 136 views
  • Users 0 members are here
Options
Related

Assign offboarding grousp to disabled AD account.

g manigrasso
2 days ago

Hello,

I need help to assign offboarding groups to AD accounts, managed with account defintion, when identity got disabled and AD account too.

I have a business role with the account definition that is removed when the identity is disabled and another business role, with the off boarding groups, that when an identity with AD account got disabled is assigned.

How can I work around the standard behaviour of OIM? Because right now the groups are assigned but with XIsInEffect = 'True'.

I have the On demand 9.2.1 version.

Thanks all.

Parents Reply Children
  • 0 2 days ago in reply to Markus Weiss-Ehlers

    Thanks Markus for the reply.

    Yes, I tried to use this functionality but it's still not working. This is the way I configured for the override inheritance settins for the groups we want to assign directly on AD:
    "Retain group if temporary disabled: According to manager level
    Retain group if permanently disabled: According to manager level
    Retain group on defferred deletion: According to manager level
    Retain group on security risk: According to manager level
    Retain group if user account disabled: Always"

    and in the account definition full managed we checked the box "Retain groups if user account disabled".

    With this configuration when the account is disabled the groups are assigned with XIsInEffect = 1, Even before the account is being disabled the behavior is the same.

  • 0 1 day ago in reply to g manigrasso

    You need to assign the business role for the disabled groups via a dynamic role with the condition that the person is inactive. 

  • 0 1 day ago in reply to Markus Weiss-Ehlers

    Yes Markus, it's already like this. I have two business role:
    - One with the AD account definition with a dynamic rule that if a person is active is assigned.
    - The other one (with the groups) that is assigned when a person with an AD account becomes inactive.