Use Case
Let’s talk about a request I get on various HR to AD Sync MIM deployments. The Use case has to do with immediate Terminations. The HR record says that the employee Status is “Active”, the requirement is that MIM should enable an AD account if the HR status is “Active”. Now for immediate Terminations, HR contacts IT directly and ask the AD account to be disabled. But when the MIM sync job runs say every hour, it will re-enable the account because the status says active. The HR Terminations will come say the next day.
There are several possible solutions, here is one of mine.
Solution
Sync Engine
On the AD MA
Make the UserAccountControl (UAC) flow into the MV from AD. Make it direct
|
Data Source Attribute |
Flow |
Metaverse Attribute |
Mapping Type |
Flow Nulls |
Comments |
| Object Type: user | Object Type: person | ||||
| UserAccountControl |
|
UserAccountControl |
Direct |
On the HR MA
Flow the EmployeeStatus into the MV UAC
| Data Source Attribute | Flow | Metaverse Attribute |
Mapping Type |
Flow Nulls | Comments |
| Object Type: Person | Object Type: person | ||||
| EmployeeStatus |  |
UserAccountControl | RulesExtension | “UAC” See logic details below |
In your extension code, only enable if AD MA has not already disabled it.
|
UAC |
If mv.uac is present AND cs.employeeStatus = Active, AND mv.LastContributingMA is not ADMA and mv.uac is not 514 Then set UAC to 512
If mv.uac is NOT present AND cs.employeeStatus = Active, Then set UAC to 512 If cs.employeeStatus = Withdrawn, set UAC to 514 |
In the MV set the precedence to Manual
In the Portal
How can we restore HR as the controller for enabling/re-enabling that particular account?
If the account is enabled in the future by HR, this will re-enable the account and allow HR to disable the account.
- Create a Termination set with criteria Termination Date or Last Day Work is present and Status is “Withdrawn”
- Create a PowerShell Workflow to re-enable the account.
- Create a transition-Out MPR to trigger the workflow.
tlktechidentitythoughts 