Disable the UserID in ILM by HRFeed
HI, I have to disable the userIDs in ILM Portal when i loaded the HR feed into the ILM. In HR Feed i used header as employeestatus to disable the IDs and the time for inboundSynchronization Rule i mapped employeeStatus to Employeestatus for source and destination,When i try to fullSync on HRMA , The user which i have to disable is not comming into the Metaverse. I mean at the time of running Full Sync On HRMA , in Export Statistics any Synchronization updates are showing in ILM MA. Thanks and Rgards, Santosh Kumar
May 14th, 2009 10:22am
Santosh.Just to clarify your question can you confirm in which stage you are not able to see the sync?Assuming you do Full Import and Full Syncs instead of Deltas.1. Changed exployee status in HR Application.2. Run Full Import HRMA3. Run Full Sync HRMA(If you defined all flow rules at FIM Portal, you will not see any kind of flow at this time, until you sync with ILMMA.4. Then you have to run Export to ILMMA5. Wait 2-3 mins (because default configuration to reflect changes in FIM is 2mins)6. Run Delta Import ILMMA7. Run Delta Sync ILMMA 8. verify user status at MV, Now the usersstatus has to be disabled.Note.Steps 4 to 8 consider that all attribute flows are defined at FIM Portal and empleeStatus attribute import flow also is configuredbetween FIM and MV at ILMMA.RegardsDiego.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2009 7:00pm
Hi Diego, At the time of full Sync on MyHR MA,at the Export Statistics when i click on Export attribute flow for ILMMA it was showing failed-creation-via-webservices. actually my requirement was i want to disable the user in AD. in the Out bound user SYNC Rule i mapped EmployeeStatus to UserAccountControl.In hr feed i am passing employeeStatus as 514(Number). I know u got my logic..... Thanks and Regards Santosh kumar
May 18th, 2009 3:43pm
Hi Santosh.I understand you solved the problem?If not..In order to keep orderedthe house, it could be beneficial to create 2 AD Outbound Rules:1 for AD Provision and other for AD deprovision.For Deprovision you will have to configure at FIM portal:1. Create a Set for Disabled users, with calculated members, based on the value of employeeStatus2. Consigure AD Disabled UsersOutbound Sync Rule with attributes:-- dn; this if you want to set a new OU in AD, for example Disabled users.-- userAccountControl = 5143. Configure Worflow AD Disabled usersreferencing AD DisabledUsersOutbound Sync Rule4. Configure a Policy referencing Set for Disabled users andWorkflow for Disabled users.Good luckDiego.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2009 6:00pm
Hi Diego, I did same thing what you explained above steps.....BUT , I have two Queries 1) When i try to create a set for Disabled users based on value of EmployeeStatus =514, Getting access denied error.For this i used "description" pre-attribute in User, so instead of EmployeeStatus i am using "description contain disable"(Disable users must contain this description attribute as disable).When i click on view members the list showing all disable users(i am mapping EmployeeStatus=UserAccountControl in AD Disable UserOBSYNC RULE). 2)Two AD Outbound Rules I already created AD User PROV OBSYNC Rule by following you i created another AD User DPROV OBSYNC Rule. When i try to de-provisioning the User every time saying that "does not have a parent object in management agent "MyAD MA"." Here I created another MA for disable Users that is DUSRADMA but it is showing in stack trace is "does not have a parent object in management agent "MyAD MA "." Thanks and Regards, Santosh Kumar
May 22nd, 2009 8:47am
I don't think you need two AD MAs. The error you are seeing is normally because you haven't run a full import on an AD MA to bring the OUs you're trying to provision a user to into the AD MA connector space. I believe the suggestion was two outbound sync rules: one for provisioning/normal running, one for deprovisoining (not two AD MAs). When you get the change in state from HR that should trigger deprovisioning from AD, your user moves from the "enable AD" set to the "disable AD" set. This removes the normal AD sync rule and adds the deprovisioning AD sync rule.DaveDave Nesbitt | Architect | Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2009 12:00pm
Dear Dave, yeah I got it.I removed another Management which i created for Disabling the user.But Dave running Full Synchronization on ILMMA getting sync-rule-flow-provisioning-failed and details in stack trace are Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: An object with DN "CN=ys reddy,OU=ILMObjects,DC=sso,DC=com" already exists in management agent "MyAD MA". When i click on the User ysreddy, in expected rule entry showing AD User PROV OBSYNC Rule but not AD User DPROV OBSYNC Rule ??? awaiting your response Thanks and Regards, Santosh Kumar
May 22nd, 2009 1:53pm
If the user still has the prov rule, then your problem is in ILM2. Have they moved between the prov and deprov sets? Do you have a workflow to remove the prov rule when they do move between sets? If not, the user will still be in the prov rule which is trying to re-add them to AD.DaveDave Nesbitt | Architect | Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2009 2:24pm
Hi,I have a similar isuue with deprovisioning:The users have anEnabled /Disabled enployeeStatus in the ILM portal. Based on that I created:- 2 sync rules: 1 for prov and 1 for deprov (only flowing userAccountcontrol and dn)-2 sets-3 action workflows:1 to add the prov sync rule,1 to remove the prov sync rule and 1 to add the deprov rule- 3 MPR's: for the 3 workflowsAdding and removing the prov rules works just fine. Adding the deprov rule doens't work. I verified the Disabled users set and the user shows up. MPR config:- specific set of requestors : All Objects- create resource, modify resource- target before request: disabled users- target after request : disabled users- policy workflows: the workflow that adds the deprov sync rule.Am I missing something here?Regards,Toni Bataraga
July 9th, 2009 12:29pm
Hi,I am having a similar situation, is also trying to disable and move user objects in AD based on an employee status field. my config is as follows:Employee status filed in HR fileSync rule to change users dn to new ouSetnamed inactive users (can see the users here when the status chnages to inactive)Workflow to put user in scope of sync ruleMPR Config:Specific set of req: All Peoplemodify single valued attribute target before req: inactive userstarget after req: inactive usersIt seems that the MPR is ignored. Anyone idea if something is wrong with the config? RegardsJohan Marais
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2009 4:24pm