About IdentityMinder ...¿How to handle the cases of provisioning role for "Active Directory" endpoint ? The create and delete user are simple cases, but the change that involves moving accounts between "OU" does not work automatically, after remove a provisioning role means that the account will be deleted in the "Active Directory" endpoint and after assign the new provisioning role the account is created. This usually affects the Exchange account and affects the user emails in Exchange Server creating an additional problem. Strong or Weak sincronization doesn't fit the ideal situation of move account and avoid recreate it.
An identity policy do the right automatic assign / unassign but on the endpoint not necessarily occur in the most convenient way.
¿ How avoid that the account is deleted on modify user operation (for remove ProvisioningRole member) and instead, ensure that privileges are assigned and automatically moved the account to a different OU if applicable? ¿What has been your experience dealing with this situation?
You can user Policy Express Policy to move account between OU. We have done it and it works fine. Moving Account between ou is simple however you will have to build logic to decide where to move.
Let me know if you need help
Hello Prasadt Thanks for the reply and yes please, an example of the px to move between OU will help. Probably you run it before "ModifyUser" event and maybe keep the option enable of "user synchronization" for assigning new provisioning role.
If we focus on move account there will be not problems with the Exchange account.
Thanks again and I will be mindful of the help
I've been thinking about this process and I would have thought to do it after it was modified with the new attribute which would cause the requirement to move the user object to a new OU.
I will be extremely interested in hearing how Prasad has handled this issue.
I thought this process differently (before moving) by the need to move the account before assigning the new provisioning role, thus the account would not be deleted. ( Let see if Prasant can share with us about how the process was implemented )
I am also very interested in the subject. Running the movement account is easy with PX, but knowing how and when to be assigned roles provisioning I think is the most interesting part for the synchronization errors presented.
Thanks for keeping the interest and please be aware that the features and information will be published for the benefit of all although they arriving by private way.
Were you able to solve this?
kristen.palazzolo can you move this to CA Identity Minder section, please ?
It looks like it's already there.
Hi , Not sure if that is already answered if moved to different section but we have implemented to move account in different OU with px. if you need sample or instructions i would happy to help that. here is a Action Rule for that policy.
Use case is on submission of separation account should be moved to ou named "Disabled User".
get Accounts is a Data element which get the AD account.
Renu, What version of Identity Manager are you using in your example?
R12.6 sp2 on Jboss 5 X
I tried moving of account in my environment, but it is coming as "Account Not Found" Error in View Submitted Task. I think, it is because the information given by me in the "Account Identifier" and "New Container" tab was wrong. Can you please give me an example of how i can define the "Account Identifier and New Container" tab.
Sorry for delayed response. First Of all you dont want to remove and apply new provisioning role to move user between OU. That will surely delete user from AD. Here is what you need to do;
You need to configured this PX to evaluate OU. The PX can be configured on Submitted task and execute after task completed event. In our case weh ave this PX that determindes users OU based on user city/ state etc. You can achive this by simply building SQL table and query the OU name based on the parameters you want. (In Our PX we have build logic in PX which is not easy to maintain) So maintaining SQL table is easy. Once you determine OU to move add action shown by RenuS.
Note: You need to have trigger that will start this PX. Having seperate task is best. However it all dependes on how you determine where user will be moved.
In typical IDM implementation user is created with Base Account template that determines users initial OU. This account template detemines how user will be created in AD. The move user in OU is incidental scenario. In this situation Base Provisioning Role and Template need not to be removed. Just use this method to move user.
Let me know how you determine where user will move.
Prasad, Ours is by Office name. What version of Identity Manager are you using?
We are using IDM 12.5 SP6. Old Version of IDM. If it is just one attribute change then it is very easy to configured PX. What version you are in?
Prasad, we are in the same version. I am planning on an upgrade for this next year.
Well Long way to go. I have it on my plate for this Year. Basically it is going to be New build and data migration...
Same here. Agreed. We should stay in contact to share experiences.
Thanks for share your experience. I appreciate the input received from participants (You, Glenda, Renus) .
I have a final question: In your example: if the Base Provisioning Role and Template need not to be removed from user, ¿ How do you change security Groups and Distribution Group on AD accounts? Do you apply a PX for that function? avoid the use of Identity policy to assign provisioning role?
In my case, when change a position(title) or department and move to a new OU the permissions are changing and priviledges need to be updates.
I think this is what is needed to close the concern and understand how handle provisioning role for "AD" endpoint
Thanks in advanced
The way I implement IDM to manage Active directory is; Create Base Provisioning Role with Base Template that defines how user should be created in Active directory. This Role has Account template that contains filters that tells where to create user, what should be the logon script, How to populate other active directory user attribute. The Base Provisioning role and template will never have any Security Groups or DG. When you will creat user you will assaign user a Base Provsioning Role and then use othere provisioning Roles with Groups that you want to give it to Users. For example We have used RCM to create Department and Jobcode based roles. These roles has groups that is commenly used by the users in that department and Jobcode. We have named them as per department and jobcode.We also have PX that detects change in department and Jobcode and remove user from old Department and Jobcode role and assigne him a new one if available but Base Provisioning Role stays as is.Hence user never get deleted. In case if we have to change OU then we use task with the PX logic to change the user OU based on City and state.
Hope that helps...
Prasad thank you for the response has been helpful and very interesting the way you have worked I could make some successful tests enabling the "Enable Accumulation of Provisioning Role Membership Events" property to "Home / Environment / ENVNAME / Advanced Settings / Provisioning" in the "managment console" always left active identity policies for reassign provisioning roles combined with OU movement using PX. Thanks to everyone for the participation and contribution
Like Prasad does in moving the account we get the account object and then add the groups whether security or distribution list.
Doing this when a user moves we can remove the list that no longer applies and then add the new one.
Glenda, thanks for sharing the information, I see that maybe you don't use "identity policy" to assign provisionig role or probably use a different task to avoid user synchronization or do the reassigment with px Thanks
Provisioning Roles are assigned using Policy Xpress. The Role(s) that is assigned depends on the employee type.
No, we aren't using Identity Policy.
Thanks for sharing the way you do