• State Not Answered
  • Replies 22 replies
  • Subscribers 66 subscribers
  • Views 551 views
  • Users 0 members are here
Options
Related

Workflow vs Deprovisioning Policy

allison.lethy
8 days ago

Hi there...

I am trying to determine the order of operations between a deprovisioning policy and a a workflow with deprovisioning activities.

Here is what I need to do.  I need to set the Home Drive and Home Path so that the Home Folder deprov policy assigns the manager access to the home folder.

If I manually add the home drive and path in the user record first, then deprov user - the manager gets access.  But if I try to set it via either calling (1) a PreDeprovision script in the policy object or (2) add the two attributes with values to 'Properties to be Updated'.... then the manager is not getting access to the home folder.  The results pane says the user doesn't have a home folder.

I can't use a workflow... because it looks like these don't kickoff until AFTER a deprov policy object.

Any help would be appreciated!

Thanks

Parents
  • 0 8 days ago

    Hello,

    This is configurable:

    Solution Title: Resolving a race condition between an Active Roles Policy and an Active Roles Approval Workflow
    Solution Number: 4338998
    Solution URL: https://support.oneidentity.com/kb/4338998 

    Setting the edsvaPrecedeWorkflowActivities boolean on the Workflow will change it so it runs first.

  • 0 8 days ago in reply to Terrance.Crombie

    I did create a workflow to run a script (onPreProvision) to set the Home Folder attributes.  I want this workflow to run first.  The Deprov Policy object hasedsvaPrecedeWorkflowActivities=False. That was the default setting.  If False, then the Workflow should run first. 

    But it is not.  When I look at the Deprov results, it is clearly showing timestamps that the policy objects settings are running first, then the workflow.

  • 0 7 days ago in reply to allison.lethy

    Rather than triggering on Deprovisioning per se, why don't you trigger based on the setting of a virtual attribute - for example, edsvaTriggerPreDeprovisionAction and have this be the start condition for your Change Workflow that handles the home folder stuff?

  • 0 7 days ago in reply to JohnnyQuest

    I'm hoping to not have to use a workflow to achieve this.  It really seems like it should be straight forward but I am getting inconsistent results.

    In my Deprov Policy Object, in this order:

    1. Run script to set home folder.  I assume by using $dirobj.setinfo() that the home folder settings are actually being saved ... so that #4 below will see that a home folder exists and give manager READ access.  

    function onPreDeprovision($Request)
    {
    Set-QADUser $request.dn -HomeDrive "H:" -HomeDirectory "\\lethbridge\users\cityhome\%username%"
    $dirobj.setinfo()
    }

    2. Make account ineligible for login (disable account)

    3. Delete account after 30 days

    4. Prevent user from access home folder (assign read access to manager)

    5. Move the user to a different OU.

    After deprovisioning a user, all is good EXCEPT for the Home Folder settings.  It says it is skipped because there is no home folder for the user.  UGH!

    If I add the home folder on the users AD Profile tab first... and then deprovision... all works as it should.

    I will also say that I have had the Deprov policy work twice out of 50 times trying.  Which makes it even more difficult to troubleshoot.

    Any help would be super appreciated.

Reply
  • 0 7 days ago in reply to JohnnyQuest

    I'm hoping to not have to use a workflow to achieve this.  It really seems like it should be straight forward but I am getting inconsistent results.

    In my Deprov Policy Object, in this order:

    1. Run script to set home folder.  I assume by using $dirobj.setinfo() that the home folder settings are actually being saved ... so that #4 below will see that a home folder exists and give manager READ access.  

    function onPreDeprovision($Request)
    {
    Set-QADUser $request.dn -HomeDrive "H:" -HomeDirectory "\\lethbridge\users\cityhome\%username%"
    $dirobj.setinfo()
    }

    2. Make account ineligible for login (disable account)

    3. Delete account after 30 days

    4. Prevent user from access home folder (assign read access to manager)

    5. Move the user to a different OU.

    After deprovisioning a user, all is good EXCEPT for the Home Folder settings.  It says it is skipped because there is no home folder for the user.  UGH!

    If I add the home folder on the users AD Profile tab first... and then deprovision... all works as it should.

    I will also say that I have had the Deprov policy work twice out of 50 times trying.  Which makes it even more difficult to troubleshoot.

    Any help would be super appreciated.

Children
No Data