on 02-16-2015 7:06 PM
Hi there,
I have a requirement that as part of the deprovisioning process, to remove all AD Group memberships except for Domain Users.
Has anyone done this before? All of my attempts on this have failed.
Thanks,
Matt
Matt,
Are you storing all of the AD Groups as privileges? Just curious as to how complicate a scenario we are talking about.
We do not sync all our AD Groups, but this was something that was requested of us when disabling AD users. I used a two step process.
In task one, I have a To Identity Store for the user that uses a script to retrieve the "memberof" attribute from AD and replace the separator from the LDAP function with a "|". This is then written to a multivalue attribute on the user's identity.
In task two, I have a To Generic that has a script that cycles all of the entries of the multivalue attribute, calling the deprovisioning task to remove an individual group from the user. In this script, you can set rules to skip certain groups.
If that would work for you, I can give you the full details, but those are the broad strokes.
Jared
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The only other thing I can think of is using a powershell script, that is triggered by IDM. We use one to remove a user from all his mailing lists when he leaves the company, because we don't manage those via IDM either.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We usually use a batch job with a ToIdentityStore pass for this.
Source tab: depending on the process either a request object or the valid date (or whatever) is used to determine when all users which shall be processed on each day (scheduled nightly if time dependent or called using uRunJobNow if prcessed on the same day)
Destination: All PRIV:GROUP's of the users are selected with a {D} using a script (plus any other privileges like Java or SAP or ...)
Additionally we use our own plugins to handle the deprovisioning.
If you are not syncing all groups, use batch job with a FromLDAP and a filter on all users which shall be deprovisioned or re-calling the job (using two jobs alternatively)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matt,
Just wondering if this will work, haven't tested yet, If the groups are assigned as Privs then in the deprovisioning task, we can use {R} or {M} operator
"MXREF_MX_PRIVILEGE {R}<PRIV:AD:DOMAIN_USER>|{R}<PRIV_AD_ONLY>"
or
"MXREF_MX_PRIVILEGE {M}<PRIV:AD:DOMAIN_USER>|{M}<PRIV_AD_ONLY>"
As per definition goes, it should remove all the Privs 1st and then add only domain and ONLY priv. Let me know if it works.
Kind regards,
Jaisuryan
Message was edited by: Jai Suryan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Matt,
could here work a similar approach like for the other deprovisioning: to deprovision all groups and as a next step provision the "domain users group" back?
There is a script, that checks which groups have to be assigned or removed. Maybe you could copy and edit this, so that it always skips this specific group?
Just a bit of brainstorming. We don't have something like this in our system (yet? ^^).
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.