1 2 3 Previous Next 37 Replies Latest reply: Jun 11, 2010 5:29 AM by 668064 RSS

    Modifying delete user adapter for OIM

    768452
      hi,

      I need to modify the delete user adapter for iPlanet and not deprovision a resource based on the value of a UDF field ( if the value is true, then the account is revoked; and if the value is false, the account is not revoked).
      I have been able to add an if condition to the iPlanet Delete User adapter using the adapter factory. And have mapped the value of UDF to a adapter variable.Now, the user is not deleted when the value of UDF is true.
      But the "System Validation" and "Create" user show task status as "Cancelled" when i view the users resource profile. I want to know, where and how these two are cancelled when we revoke a account. As , this is not letting me revoke an account later, even after I set the value of UDF as "false".

      Kindly guide me through this.

      Thanks,
      AJ.
        • 1. Re: Modifying delete user adapter for OIM
          668064
          Hi,

          Could you explain this line again:

          I need to modify the delete user adapter for iPlanet and not deprovision a resource based on the value of a UDF field ( if the value is true, then the account is revoked; and if the value is false, the account is not revoked).


          I am not able to understand what exactly you want to achieve.

          Regarding you second query once DeleteUser task run, it just undo the CreateUser task and it can not be modified again.


          Regards
          Alabhya Goel
          • 2. Re: Modifying delete user adapter for OIM
            Suren.Khatana
            So that's happening because you have delete user in undo task of create user task.

            What is your requirement ? Is it that OIM user should get deleted when UDF is false or true etc ..

            If yes , then you should consider writing a entity adapter in pre insert and pre update which will see if the UDF value is true or false , delete the user accordingly .

            Don't put if else in adapter .


            Thanks
            Suren
            • 3. Re: Modifying delete user adapter for OIM
              768452
              Thanks Alabhya for the quick reply.

              I have created a UDF field (Revoke User Profile) and based on the value of the same, I need to call the delete user adapter either manually by pressing revoke or at deprovisioning date.
              i.e If the value of this is true , then the user is revoked, And if the value of this UDF is "false" we dont revoke that resource.


              And regarding the other query, cant we disable the System Validation and CreateUser task to be "cancelled" , once we press revoke for a user?
              Would require this, so that we can revoke that account later on, once the value of UDF is set to "true"
              • 4. Re: Modifying delete user adapter for OIM
                668064
                Hi,

                Please do the Following things:

                1. In your Delete User task remove the existing adapter and put new process adapter which either that UDF has value True or False. If the UDF has True value then it return Yes and if UDF has False then return No.
                2. Create new task called Revoke User Access this task will have the adatper which was in Delete User task which you have removed.
                3. Delete User task will be triggered as you press Revoke button or at Deprovisioning Date.
                4. Revoke User Access task will be tirggered on Yes response of your Deleter User task and Revoke the user account form the Resource.
                5. Go the Undo/Recovery tab of your Delete User task and remove all the task which are under Undo Task Name tab.
                6. Now, if you want to cancel the user Create User task (Ideally it should be there) when user get deleted form resource add these task to Undo/Recovery tab of your Revoke User Access task.

                Let me know if you have any query for the same....


                Regards
                Alabhya Goel
                • 5. Re: Modifying delete user adapter for OIM
                  Suren.Khatana
                  Alabhya ,

                  What you are suggesting is good but its at resource level . If new resources are added then he will have to do same thing for that resources as well ...

                  But as i have understood he wants to take an action at the user level .

                  Leave all the resources as is , no change in any provisioning process .

                  You know when you have to revoke the user and when not . Simply take care of that condition in an entity adapter and delete the user . Resources would be revoked automatically .


                  Thanks
                  Suren
                  • 6. Re: Modifying delete user adapter for OIM
                    668064
                    Suren,

                    Tell me one thing in idle situation when Delete User task tirggers and how it get tirggers???

                    As you said trigger the Delete User task through Entity Adapter means manipulate the user status in Entity Adapter right???

                    Regards
                    Alabhya Goel

                    Edited by: Alabhya Goel on Jun 9, 2010 9:09 AM
                    • 7. Re: Modifying delete user adapter for OIM
                      Suren.Khatana
                      Whenever you will revoke a resource all the tasks which are in UNDO tab of all the tasks will trigger .

                      Through entity adapter you need to delete the OIM user , not calling delete user task of any particular resource .

                      When you will delete the OIM user , naturally all the resources would be revoked , isnt it ?

                      Am I missing something :(


                      Thanks
                      Suren
                      • 8. Re: Modifying delete user adapter for OIM
                        668064
                        Suren,

                        When Delete user task tigger in idle situation??

                        Delete user in OIM in entity adapter means simpley setting his status Deleted right???

                        Now, when you click on Revoke button the user status in OIM will be deleted and you want to say check the UDF if it has true set deleted but if it is false then what status you want to set in OIM.....

                        Regards
                        Alabhay Goel
                        • 9. Re: Modifying delete user adapter for OIM
                          Suren.Khatana
                          No No .., when you will delete the user it will not only set the status to be Deleted , it will actually go ahead and revoke all its access to various resources .

                          which is as good as clicking Revoke on every resource .


                          Thanks
                          Suren
                          • 10. Re: Modifying delete user adapter for OIM
                            668064
                            Agreed Suren,

                            So in Entity Adapter you will set the user status Deleted when UDF return True and simultaneously it will delete user access on resource. Tell me what will happen at the time of Deprovisioned Date where nothing will happen on Create User page but user access should be revoked and if i press Revoke Resource button then why i set the user status Deleted in OIM......

                            Regards
                            Alabhya Goel
                            • 11. Re: Modifying delete user adapter for OIM
                              Suren.Khatana
                              First of all in real time scenario , no body is going to revoke a resource by clicking on Revoke button etc ...., everything has to be automated and changes would come from trusted source and would flow down to all the resources .


                              As far as De provisioned Date is reached , what is the OOTB behavior. Doesnt it remove all the access to resources .

                              By the way .do u know i know you :)


                              Thanks
                              Suren

                              Edited by: OiiiiiM on Jun 10, 2010 9:38 AM
                              • 12. Re: Modifying delete user adapter for OIM
                                668064
                                Hi,

                                Yes when Deprovisioned Date reached all the access should revoke automatically but here the requirement is if UDF has value True then only access should be revoked means he has two condition Deprovisioned Date should be today date and UDF has value True.

                                So how you will handle this????


                                I don't know you but i appreciate your concepts..... After discussion many new things/concepts comes in my mind.... Wish to have these kind of discussion on other thread as well.....

                                Regards
                                Alabhya Goel
                                • 13. Re: Modifying delete user adapter for OIM
                                  Suren.Khatana
                                  There could be lot of conditions , we exactly don't know what all are ..

                                  Usually we play with OIM users start date and end date only and do not populate De provisioned Date etc ..

                                  Even if de provisioned date was used , from where the value will come .., naturally from trusted source and it will be mapped to a value which also means like de provisioned date in OIM .

                                  When somebody is deleted/disabled etc .... from trusted source , same should happen at OIM end too .

                                  Why will there be a condition like when some thing is deprovisioned (what ever terminology) in trusted source and we wont want it to de provision in OIM .

                                  It actually entirely depends on how you are implementing the soln .


                                  Thanks
                                  Suren
                                  • 14. Re: Modifying delete user adapter for OIM
                                    668064
                                    Yaa thats true!!!!!!!!!!!!!!!!

                                    Thats why I gave that solution on resource side as we don't know is this condition is for one resource or all the resources, what kind of status he want on OIM, is there any trusted or not etc.

                                    Yaa my solution is depends on Resources but independent to OIM.

                                    By the way May i know you..........

                                    Regards
                                    Alabhya Goel
                                    1 2 3 Previous Next