This is an old revision of the document!
Systems - AD: Remove group membership when the contract is excluded
By default, when a contract is excluded, IdM will not remove the account's group membership but only set the account as inactive. However, it is possible to turn this behavior on for some AD roles or even all AD roles.
As a result of the setting shown below, when an identity's contract becomes inactive, this role will be removed from the contract and the account will stop being a member of the respective group in AD.
Change behavior for individual roles
If you don't want all the roles to behave this way, you can set this behavior for each role separately. First, go to the detail of the role in IdM by clicking the magnifying glass next to the role's name.
In the detail, go to Systems.
Open the detail by clicking the magnifying glass. You will see this.
Open the detail of the attribute ldapGroups by clicking the magnifying glass. You will see this.
Check the checkbox next to "Skip value when contract is excluded" and save your changes. That's it, now the role and the account's group membership will be removed when the contract becomes inactive.
Set this behavior on using the AD synchronization workflow
Alternatively, you can use the regular synchronization of AD groups to set this behavior for some or all AD roles since this synchronization uses our workflow to do many things related to managing AD groups.
First, I will show you how to turn this feature on for all AD roles.
In the left menu, go to Settings > Configuration.
Then when you click the green button Add, a dialog will open. Type in Key
idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion
and Value "true" as shown here.
Click save. During the next synchronization of AD groups, all AD roles will automatically set to be removed from inactive contracts (even existing ones.
You can also use this workflow to set this behavior for individual roles in bulk. As shown above, add a new property with Key
idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion
and as a Value, type in the names of the relevant roles separated by comma. You can only use this if your roles do not have a comma in their names!
Click save. When the next synchronization runs, all roles specified in the Value here will be set to be removed the contract becomes inactive.