Deprovision refers to what will happen to an object once it has been disconnected from the metaverse object. There are certain cases where you want to do several things. The interesting thing is that you can do deprovision in the management agent extension code or you can do it in metaverse extension code, so when do you use it?
In the cases below we are looking at HR feed to FIM/MIM and then provisioning to Active Directory (AD). This is classic provisioning.
Case 1 – Process terminated employee record
In this case HR feed controls the projection into the MV, so HR feed projects and then AD account joins. AD does not project. The MV object deletion rule is set to delete the MV object when the HR feed is disconnected.
When a user is terminated in HR Feed, I want
- AD account is disabled
- AD account is moved to disabled OU
- Put Date disabled in the description field
Code for Case 1
Put the code in the AD MA management agent extension code. Here is a sample
DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry)
const int ADS_UF_ACCOUNTDISABLE = 0X2; // Disable user account
const int ADS_UF_PASSWD_NOTREQD = 0X20; // No password is required
const int ADS_UF_NORMAL_ACCOUNT = 0X200; // Typical user account
Logging.Log(“About to start Deprovisioning action”, true, 5);
// Disable the user account in Active Directory and move
// the account to another container.
long currentValue = 0;
currentValue = csentry[“userAccountControl”].IntegerValue;
currentValue = ADS_UF_NORMAL_ACCOUNT;
csentry[“userAccountControl”].IntegerValue = currentValue | ADS_UF_ACCOUNTDISABLE | ADS_UF_PASSWD_NOTREQD;
//Write Terminated date to description attribute
DateTime currentDate = DateTime.Now;
string DATE_FORMAT = “yyyyMMddHHmmss”;
string currentDateString = currentDate.ToString(DATE_FORMAT) + “Z”;
string csentryValue = “description”;
csentry[csentryValue].Value = currentDateString;
// Move the disabled user account to another container.
string rdn = “CN=” + csentry[“cn”].Value;
ManagementAgent ma = Utils.MAs[MAName];
ReferenceValue dn = ma.EscapeDNComponent(rdn).Concat(ADDisabledContainer);
csentry.DN = dn;
// Leave the object in the connector space and never join or project
// this object into the metaverse.
tempDeprovision = DeprovisionAction.Disconnect;
throw new UnexpectedDataException(“There are no deprovisioning rules setup for ” + csentry.ObjectType);
Case 2 – FTE to Contractor conversion
In this case AD feed controls the projection into the MV, so AD feed projects and then HR Feed joins. HR projects new employee accounts only. The MV object deletion rule is set to delete the MV object when the AD feed is disconnected.
We want to look at full-time employee (FTE) to contractor conversion. When an FTE converts to FTE how can we break the connection between the HR Feed and the AD account? The FTE AD account is connected to the HR Feed via the employee number in HR records. As long as that link remains the HR record will govern the status of the AD account. To convert to contractor, the FTE must have resigned which means the HR record is terminated, this will translate to a disabled AD account. FIM/MIM will continue to disable the AD account as long as the link remains.
Lets say there is a “Contractors” OU in AD such that the AD account is moved to the contractors OU we want FIM/MIM to break that HR connection once the AD account is in the contractors OU.
Code for Case 2
Put the code in the Metaverse extension code. Here is a sample
void IMVSynchronization.Provision(MVEntry mventry)
//Begin the deprovision code for HR Object
ConnectedMA HRSQLMA = mventry.ConnectedMAs[“HRSQLDBMA”];
if ((HRSQLMA.Connectors.Count == 1) && (mventry[“DistinguishedName”].IsPresent))
CSEntry csentry = HRSQLMA.Connectors.ByIndex;
//End of deprovision code for HR Object