3 Replies Latest reply: Dec 5, 2012 6:14 AM by 958410 RSS

    AD Target Recon Task


      During AD Target Recon Task, we find ourselves in the following situation :

      The recon rule : first name & last name equals in both OIM and AD
      When we have in AD some people which are not in the scope of OIM and have homonyms with an already existing OIM user with his own AD account, the reconciliation is linking to the OIM User profile a second AD Account (even if the Ad resource is defined with allow multiple : false).

      Today, we would like to not modify the recon rule (to avoid lots of manual action) but we need to block this kind of situation. For example, if during ad target recon 2 ad account match 1 OIM User, we would like to do nothing or maybe just send a notification to a Local Admin.

      Is there a way to handle this kind of problem ?

        • 1. Re: AD Target Recon Task
          Nishith Nayan
          have you restarted after marking Allow Multiple Instance to false in the AD Resource Object. restart it and check if works else go with below workaround

          Write a custom Unconditional Adapter adapter. check if Ad account already provisioned to this user and return string like "Provisioned" and "Not Provisioned". you can get help of OIM API to check if a AD account exist for user or not. No attach Create User task at the "Provisioned" response of your custom task. and send mail on the "Not Provisioned" response .

          Mark Create user task as conditional.
          • 2. Re: AD Target Recon Task
            Check if you can add 1 more condition i.e. employee no. etc in recon rule.
            This should resolve your problem.
            • 3. Re: AD Target Recon Task
              Thanks for your inputs. Restarting the servers doesn't solve the issue and user can still have multiple account on reconciliation. But i can't direct provision an AD account to an user that already have one so i guess reconciliation doesn't take into account this option.

              The adapter can partially solve the problem.

              For example if on reconciliation, 2 AD account match 1 oim user (for example an user that is still not in our scope), the first one detected will be linked to the account and the second one will send the notification.

              We would like in that case that no links is created and a notification is send to an Admin. This can be done when one AD Account match 2 OIM Account but can we have the same behavior for 2 AD account matching 1 OIM user ?

              Thanks for your help