Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
tutorial:adm:systems_-_ad_remove_group_membership_when_the_contract_is_excluded [2020/03/03 15:38] doischert created |
tutorial:adm:systems_-_ad_remove_group_membership_when_the_contract_is_excluded [2021/03/11 18:29] (current) apeterova correction - roles are not removed in IdM, workflow doesn't support skip exclusion on all roles |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Systems - AD: Remove group membership when the contract is excluded ====== | ====== Systems - AD: Remove group membership when the contract is excluded ====== | ||
- | By default, when a contract is excluded, IdM will not remove the account' | + | By default, when a contract is excluded, IdM will not remove the account' |
- | As a result, when an identity' | + | As a result |
+ | |||
+ | However, the role will not be removed from the contract. When the exclusion of the identity' | ||
===== Change behavior for individual roles ===== | ===== Change behavior for individual roles ===== | ||
Line 15: | Line 17: | ||
{{ : | {{ : | ||
- | Open the detail by clicking the magnifying glass, you will see this. | + | Open the detail by clicking the magnifying glass. You will see this. |
+ | |||
+ | {{ : | ||
+ | |||
+ | Open the detail of the attribute ldapGroups by clicking the magnifying glass. You will see this. | ||
+ | |||
+ | {{ : | ||
+ | {{ : | ||
+ | |||
+ | Check the checkbox next to "Skip value when contract is excluded" | ||
+ | |||
+ | ===== Set this behavior on using the AD synchronization workflow ===== | ||
+ | |||
+ | Alternatively, you can use the regular synchronization of AD groups to set this behavior for some AD roles since this synchronization uses our [[tutorial: | ||
+ | |||
+ | <note tip>This requires you to have the current workflow from the Extras module! Older versions | ||
+ | <note tip>For now, the workflow can not be used to set this behavior to all AD roles, only for individual roles set in its configuration.</ | ||
+ | |||
+ | In the left menu, go to Settings > Configuration. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Then when you click the green button Add, a dialog will open. | ||
+ | |||
+ | Type in Key | ||
+ | |||
+ | < | ||
+ | |||
+ | and as a Value, type in the names of the relevant roles separated by comma. You can only use this if your roles do not have a comma in their names! | ||
+ | |||
+ | {{ : | ||
+ | Click save. When the next synchronization runs and creates new roles, the roles specified in the Value here will be set so their respective groups will be removed from the account, when the contract of the account' | ||
+ | If the roles already exist and you want to set this behavior to them during the synchronization, | ||
- | ===== Set it on for all roles in the AD synchronization workflow ===== | + | < |
+ | and Value " | ||
+ | {{ : | ||
+ | Click save. During the next synchronization of AD groups, all AD roles specified in the property '' | ||