| Both sides previous revision
Previous revision
Next revision
|
Previous revision
|
tutorial:adm:systems_-_ad_remove_group_membership_when_the_contract_is_excluded [2020/03/04 07:57]
doischert |
tutorial:adm:systems_-_ad_remove_group_membership_when_the_contract_is_excluded [2021/03/11 18:29] (current)
apeterova correction - roles are not removed in IdM, workflow doesn't support skip exclusion on all roles |
| ====== Systems - AD: Remove group membership when the contract is excluded ====== | ====== Systems - AD: Remove group membership when the contract is excluded ====== |
| |
| By default, when a contract is excluded, IdM will not remove the account's group membership but only set the account as inactive. However, it is possible to turn this behavior on for some AD roles or even all AD roles. | By default, when a contract is excluded, IdM will not remove the account's group membership but only set the account as inactive. However, it is possible to turn this behavior on for some AD roles. |
| |
| As a result of the setting shown below, when an identity's contract becomes inactive, this role will be removed from the contract and the account will stop being a member of the respective group in AD. | As a result of the setting shown below, when an identity's contract becomes excluded, the account will stop being a member of the respective group in AD. |
| | |
| | However, the role will not be removed from the contract. When the exclusion of the identity's contract ends, the account will be set to the group in AD again. The business use case is simple: during the contract exclusion (e.g. parental leave), remove the accounts of the identities from some AD groups, but once the exclusion ends, return original group membership to them so they can work again. |
| |
| ===== Change behavior for individual roles ===== | ===== Change behavior for individual roles ===== |
| {{ :tutorial:adm:systems_-_ad:05.png?direct&600 |}} | {{ :tutorial:adm:systems_-_ad:05.png?direct&600 |}} |
| |
| Check the checkbox next to "Skip value when contract is excluded" and save your changes. That's it, now the role and the account's group membership will be removed when the contract becomes inactive. | Check the checkbox next to "Skip value when contract is excluded" and save your changes. That's it, now the the account's group membership will be removed when the contract becomes excluded. |
| |
| ===== Set this behavior on using the AD synchronization workflow ===== | ===== Set this behavior on using the AD synchronization workflow ===== |
| |
| Alternatively, you can use the regular synchronization of AD groups to set this behavior for some or all AD roles since this synchronization uses our [[tutorial:dev:ad_groups_sync_workflow|workflow]] to do many things related to managing AD groups. | Alternatively, you can use the regular synchronization of AD groups to set this behavior for some AD roles since this synchronization uses our [[tutorial:dev:ad_groups_sync_workflow|workflow]] to do many things related to managing AD groups. You can configure the workflow to set the behavior only on creating of the roles, or anytime the synchronization runs. |
| | |
| First, I will show you turn this feature on for all AD roles. | |
| |
| <note tip>This requires you to have the current workflow from the Extras module! Older versions will not support this.</note> | <note tip>This requires you to have the current workflow from the Extras module! Older versions will not support this.</note> |
| <note warning>Be very careful here and make sure that you really want all AD roles to be removed from the contract when the contract becomes inactive!</note> | <note tip>For now, the workflow can not be used to set this behavior to all AD roles, only for individual roles set in its configuration.</note> |
| |
| In the left menu, go to Settings > Configuration. | In the left menu, go to Settings > Configuration. |
| {{ :tutorial:adm:systems_-_ad:06.png?direct&600 |}} | {{ :tutorial:adm:systems_-_ad:06.png?direct&600 |}} |
| |
| Then when you click the green button Add, a dialog will open. Type in Key | Then when you click the green button Add, a dialog will open. |
| |
| <code>idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion</code> | Type in Key |
| |
| and Value "true" as shown here. | <code>idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion</code> |
| |
| {{ :tutorial:adm:systems_-_ad:07.png?direct&600 |}} | and as a Value, type in the names of the relevant roles separated by comma. You can only use this if your roles do not have a comma in their names! |
| |
| Click save. During the next synchronization of AD groups, all AD roles will automatically set to be removed from inactive contracts (even existing ones. | {{ :tutorial:adm:systems_-_ad:08.png?direct&600 |}} |
| |
| You can also use this workflow to set this behavior for individual roles in bulk. As shown above, add a new property with Key | Click save. When the next synchronization runs and creates new roles, the roles specified in the Value here will be set so their respective groups will be removed from the account, when the contract of the account's owner becomes excluded. |
| |
| <code>idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion</code> | If the roles already exist and you want to set this behavior to them during the synchronization, you must specify also another property. As shown above, add a new property with Key |
| |
| and as a value, type in the names of the relevant roles separated by comma. You can only use this if your roles do not have a comma in their names! | <code>idm.pub.acc.syncRole.roles.update.nameOfRoles.manageSentValueOnExclusion</code> |
| | |
| | and Value "true" as shown here. |
| | |
| | {{ :tutorial:adm:systems_-_ad:07.png?direct&600 |}} |
| | |
| | Click save. During the next synchronization of AD groups, all AD roles specified in the property ''idm.pub.acc.syncRole.roles.nameOfRoles.doNotSentValueOnExclusion'' will be set to this behavior. |
| |
| {{ :tutorial:adm:systems_-_ad:08.png?direct&600 |}} | |