Symantec IGA

 View Only
  • 1.  Disable user in CA IDM post the user is removed from AD group

    Posted Nov 29, 2017 03:22 PM

    Team,

    We have a requirement to disable the user in CA IDM post the user has been removed from the AD group (terminated). This feature is not available OOTB in CA IDM. We have configured explore & correlate between AD and CA IDM for provisioning/updating the users from AD to CA IDM.

     

    1. I want to know that if the user is removed from the AD group, the explore & correlate figures out that the global user account is not in AD anymore, and hence Will it deletes the user from CA IDM too ?
    2. Also, what if we want the user to be disabled in CA IDM post the user is removed from AD group. Ca told that there is no OOTB solution for this, hence i am trying to figure out the possibilities. 

     

    Any help is much appreciated.

     

    Thanks,

    Shivam



  • 2.  Re: Disable user in CA IDM post the user is removed from AD group

    Posted Nov 30, 2017 03:29 AM

    Team,

    Any pointers here please.



  • 3.  Re: Disable user in CA IDM post the user is removed from AD group

    Broadcom Employee
    Posted Nov 30, 2017 01:11 PM

    Have you already explored Reverse Sync option in PX? If PX detects, AD Account modification (which is Ad Group removal), you may take action to disable user. Delete user is only possible via Delete User admin task execution via SOAP call in TEWS.

     

    Regards,

    Sumeet

     



  • 4.  Re: Disable user in CA IDM post the user is removed from AD group
    Best Answer

    Posted Dec 05, 2017 12:12 PM

    I am not clear on exactly what you are doing and how you are doing it.

     

    Are you deleting the AD account or simply removing an AD group from the AD account? Are you making those changes via the IM layer or natively on the AD side?

     

    If you are submitting the changes through the IM layer then you might be able to use PX Policies to trigger on those IM submitted tasks/events to perform additional work.

     

    But if the changes are done natively on the AD side itself and only picked up by running an Explore then those notifications back to IM layer would only be "actionable" via IM Reverse Sync Policies and those would only let you revert the AD change and not take actions on the IM users.

     

    Now if you also had Endpoint Attribute Mappings defined then running the UPDATE of the Explore would update Provisioning Users and so maybe those notifications back to the IM layer would allow for PX policies to be configured on the Provisioning Modify User task to take additional steps but again I am not really too clear on the specifics of what you have, what you are asking, and what you are trying to do.