ILM2 Run Statistics and Provisioning Anomolies
I've noticed a few "anomalies" whilst running ILM2 recently and want to check that the team are aware of these, or not, before raising a formal bug.
We are using ILM2 codeless provisioning: sync rules, sets and MPRs to handle provisioning and deprovisioning to a couple of simple SQL DB MAs (actually our own XMAs)
For each MA, I have configured two sets: users entitled to the application and users no longer entitled. When a user moves from one set to the other, the outbound sync rule is removed. This all works perfectly, a user is marked as a leaver in HR, the change is exported to ILM2, the sync rule is removed and the user is disconnected from the MA.
BUT (and I think this is a fairly big but), the provisioning disconnect is not reported in any of the run stats. I can see EREs being deleted on the import from ILM2, but no mention is made of a provisioning disconnect. Given that the disconnection rule is "export delete" this has very serious consequences as there is no record of the deletions - just the deletions themselves when you run an export.
On a related note, we've noticed that ILM2 doesn't appear to do a provisioning add/delete when you run a full sync. The old pending export remains in the CS and doesn't reevaluate its attributes. We updated an attribute on such an object from an import source, ran a full sync but the old value remained on the provisioning add. The mv object was changed, but no changes to the pending export. We had to delete the pending export manually to get provisioning to re-run and re-create the object with the correct values.
Have others noticed these? Have they been reported? Is this a bug or just how it works?
Dave
May 21st, 2009 7:50pm
No-one has any comments on this? OK, I'll post as a bug in ConnectThanks,DaveDave Nesbitt | Architect | Oxford Computer Group
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 12:43pm