• State Verified Answer
  • Replies 4 replies
  • Subscribers 95 subscribers
  • Views 113 views
  • Users 0 members are here
Options
Related

Assign offboarding grousp to disabled AD account.

g manigrasso
1 day ago

Hello,

I need help to assign offboarding groups to AD accounts, managed with account defintion, when identity got disabled and AD account too.

I have a business role with the account definition that is removed when the identity is disabled and another business role, with the off boarding groups, that when an identity with AD account got disabled is assigned.

How can I work around the standard behaviour of OIM? Because right now the groups are assigned but with XIsInEffect = 'True'.

I have the On demand 9.2.1 version.

Thanks all.

Parents
  • +1 1 day ago

    Did you try to work with the override for inheritance settings as described in this thread? 

    www.oneidentity.com/.../keep-group-membership-after-termination

  • 0 1 day ago in reply to Markus Weiss-Ehlers

    Thanks Markus for the reply.

    Yes, I tried to use this functionality but it's still not working. This is the way I configured for the override inheritance settins for the groups we want to assign directly on AD:
    "Retain group if temporary disabled: According to manager level
    Retain group if permanently disabled: According to manager level
    Retain group on defferred deletion: According to manager level
    Retain group on security risk: According to manager level
    Retain group if user account disabled: Always"

    and in the account definition full managed we checked the box "Retain groups if user account disabled".

    With this configuration when the account is disabled the groups are assigned with XIsInEffect = 1, Even before the account is being disabled the behavior is the same.

Reply
  • 0 1 day ago in reply to Markus Weiss-Ehlers

    Thanks Markus for the reply.

    Yes, I tried to use this functionality but it's still not working. This is the way I configured for the override inheritance settins for the groups we want to assign directly on AD:
    "Retain group if temporary disabled: According to manager level
    Retain group if permanently disabled: According to manager level
    Retain group on defferred deletion: According to manager level
    Retain group on security risk: According to manager level
    Retain group if user account disabled: Always"

    and in the account definition full managed we checked the box "Retain groups if user account disabled".

    With this configuration when the account is disabled the groups are assigned with XIsInEffect = 1, Even before the account is being disabled the behavior is the same.

Children