Deprovision refers to what will happen to an object once it has been disconnected from the metaverse object. There are certain cases where you want to do several things. The interesting thing is that you can do deprovision in the management agent extension code or you can do it in metaverse extension code, so when do you use it?
In the cases below we are looking at HR feed to FIM/MIM and then provisioning to Active Directory (AD). This is classic provisioning.
Case 1 – Process terminated employee record
In this case HR feed controls the projection into the MV, so HR feed projects and then AD account joins. AD does not project. The MV object deletion rule is set to delete the MV object when the HR feed is disconnected.
When a user is terminated in HR Feed, I want
- AD account is disabled
- AD account is moved to disabled OU
- Put Date disabled in the description field
Code for Case 1
Put the code in the AD MA management agent extension code. Here is a sample
DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry)
{
DeprovisionAction tempDeprovision;
const int ADS_UF_ACCOUNTDISABLE = 0X2; // Disable user account
const int ADS_UF_PASSWD_NOTREQD = 0X20; // No password is required
const int ADS_UF_NORMAL_ACCOUNT = 0X200; // Typical user account
switch (csentry.ObjectType)
{
case “user”:
Logging.Log(“About to start Deprovisioning action”, true, 5);
// Disable the user account in Active Directory and move
// the account to another container.
long currentValue = 0;
if (csentry[“userAccountControl”].IsPresent)
{
currentValue = csentry[“userAccountControl”].IntegerValue;
}
else
{
currentValue = ADS_UF_NORMAL_ACCOUNT;
}
csentry[“userAccountControl”].IntegerValue = currentValue | ADS_UF_ACCOUNTDISABLE | ADS_UF_PASSWD_NOTREQD;
//Write Terminated date to description attribute
DateTime currentDate = DateTime.Now;
string DATE_FORMAT = “yyyyMMddHHmmss”;
string currentDateString = currentDate.ToString(DATE_FORMAT) + “Z”;
string csentryValue = “description”;
csentry[csentryValue].Value = currentDateString;
// Move the disabled user account to another container.
string rdn = “CN=” + csentry[“cn”].Value;
ManagementAgent ma = Utils.MAs[MAName];
ReferenceValue dn = ma.EscapeDNComponent(rdn).Concat(ADDisabledContainer);
csentry.DN = dn;
// Leave the object in the connector space and never join or project
// this object into the metaverse.
tempDeprovision = DeprovisionAction.Disconnect;
break;
default:
throw new UnexpectedDataException(“There are no deprovisioning rules setup for ” + csentry.ObjectType);
}
return tempDeprovision;
}
Case 2 – FTE to Contractor conversion
In this case AD feed controls the projection into the MV, so AD feed projects and then HR Feed joins. HR projects new employee accounts only. The MV object deletion rule is set to delete the MV object when the AD feed is disconnected.
We want to look at full-time employee (FTE) to contractor conversion. When an FTE converts to FTE how can we break the connection between the HR Feed and the AD account? The FTE AD account is connected to the HR Feed via the employee number in HR records. As long as that link remains the HR record will govern the status of the AD account. To convert to contractor, the FTE must have resigned which means the HR record is terminated, this will translate to a disabled AD account. FIM/MIM will continue to disable the AD account as long as the link remains.
Lets say there is a “Contractors” OU in AD such that the AD account is moved to the contractors OU we want FIM/MIM to break that HR connection once the AD account is in the contractors OU.
Code for Case 2
Put the code in the Metaverse extension code. Here is a sample
void IMVSynchronization.Provision(MVEntry mventry)
{
switch (mventry.ObjectType)
{
case “person”:
//Begin the deprovision code for HR Object
ConnectedMA HRSQLMA = mventry.ConnectedMAs[“HRSQLDBMA”];
if ((HRSQLMA.Connectors.Count == 1) && (mventry[“DistinguishedName”].IsPresent))
{
if (mventry[“DistinguishedName”].Value.Contains(“Contractor”))
{
CSEntry csentry = HRSQLMA.Connectors.ByIndex[0];
csentry.Deprovision();
}
}
//End of deprovision code for HR Object
tlktechidentitythoughts 
Great article. In case 1, where do you define ADDisabledContainer? and in what format does it need to be? I’ve tried defining it as “,OU=DisabledUsers,DC=domain,DC=com” but it fails to concatinate with the CN attribute and construct the proper object DN.
LikeLike
There is no comma at the beginning, MIM handles that
ADDisabledContainer = “OU=DisabledUsers,DC=domain,DC=com”
That might be throwing it off
LikeLike
This was very helpful, thank you!
LikeLike
I cannot figure out why case 1 isn’t working in production, but (as usual) works on my machine. MIM version and patch level are identical. For some reason in PROD, the HR import/sync correctly deletes MV object, but the following AD MA import/sync run doesn’t seem to run the Extension, so there is no “updates” detected.
Rules extension has been configured in the same way for the AD MA in both environments…any tips what to investigate?
LikeLike
Did you make a change to the object in AD? if there is delta change to any of the attributes in scope for the sync the sync process will not be triggered
LikeLike
I like the coded deprov method above but have an interesting twist. The first part of the scenario is to disable the user in AD (as above). This is triggered by an attribute being set in the MV representing a datetime (string value). The second part is to delete the object in AD nndays after the attribute was set. My naivety in coding is causing some struggles! Any help would be appreciated
LikeLike