• State Not Answered
  • Replies 22 replies
  • Subscribers 66 subscribers
  • Views 562 views
  • Users 0 members are here
Options
Related

Workflow vs Deprovisioning Policy

allison.lethy
8 days ago

Hi there...

I am trying to determine the order of operations between a deprovisioning policy and a a workflow with deprovisioning activities.

Here is what I need to do.  I need to set the Home Drive and Home Path so that the Home Folder deprov policy assigns the manager access to the home folder.

If I manually add the home drive and path in the user record first, then deprov user - the manager gets access.  But if I try to set it via either calling (1) a PreDeprovision script in the policy object or (2) add the two attributes with values to 'Properties to be Updated'.... then the manager is not getting access to the home folder.  The results pane says the user doesn't have a home folder.

I can't use a workflow... because it looks like these don't kickoff until AFTER a deprov policy object.

Any help would be appreciated!

Thanks

Parents
  • 0 5 days ago
    allison.lethy said:
    can't use a workflow... because it looks like these don't kickoff until AFTER a deprov policy object.

    Why does it matter when this happens so long as after all is said and done, the Manager has access to the home folder?

  • 0 5 days ago in reply to JohnnyQuest

    Throughout the deprov process, be it a Deprov policy object AND/OR Deprov Workflow - the setting of the home folder attributes is NOT being committed and therefore, assigning the manager READ permissions to the home folder does not happen.

    So... after all is said and done - the Manager does not have access to the home folder.

    The deprovisioned user does have the home folder attributes set once the deprov process completes.

Reply
  • 0 5 days ago in reply to JohnnyQuest

    Throughout the deprov process, be it a Deprov policy object AND/OR Deprov Workflow - the setting of the home folder attributes is NOT being committed and therefore, assigning the manager READ permissions to the home folder does not happen.

    So... after all is said and done - the Manager does not have access to the home folder.

    The deprovisioned user does have the home folder attributes set once the deprov process completes.

Children
  • 0 5 days ago in reply to allison.lethy

    Do you have any provisioning policy controlling the contents of the home folder property?

    Also, since you are having so much trouble getting that property set within your deprovisioning process, why can't you create a separate workflow to set the property and only then trigger your deprovisioning?  (I suggested this before)

  • 0 4 days ago in reply to JohnnyQuest

    Our provisioning policy does set the Home drive/path, but we run a script to clear those since we use GPOs for home folder redirection.  We have never mapped a drive to a home folder rather we just leverage ARS to get the initial home folder created.

    Regarding your recommendation to to create a separate workflow to set the property and then trigger the deprovisioning... how exactly would I accomplish that?

    Today, our frontline techs receive a work order to deprovision an employee.  They simply right-click the user and click deprovsion.  What you are suggesting sounds like that would change what our techs do.  Which is fine, provided it works.  What would be the trigger to kick off a Workflow to set the home folder property? And then, how would we kickoff the Deprovisioning Policy object from there?  Would this have to be two steps for our techs to deprovision a user?  

  • 0 4 days ago in reply to allison.lethy

    What I am thinking of would represent a minor modification of your process.

    1) Add a new virtual attribute (VA) and call something like edsvaPreDeprovision
    2) Using out-of-the-box customization of the Web UI, add a new right pane command and call it <Deprovision Prep>. This command would stamp the above attribute with "YES" or "TRUE" (this is codeless functionality available through the Web UI customization).
    3) Create a change workflow that watches for the change to edsvaPreDeprovision and when it detects it, stamps the home folder on the selected user.
    4) Create another Change Workflow that (via its start conditions) reacts to a combination of the VA having contents on the user ("property of workflow target object" ) and the home folder property being set ("changed property of workflow target [Requested Changes]"). This workflow will trigger the actual deprovision of the user (by way of a Deprovision Activity) that you drop into it.
    Now, when your techs get a request, they select the user in question and simply click on the new Deprovision Prep command.

  • 0 4 days ago in reply to JohnnyQuest

    Can I add this new Deprovision Prep command in the context menu of a user object in the mmc. console (right click user - Deprovision Prep?

    We do not use the web UI.

  • 0 4 days ago in reply to allison.lethy

    That's a pity.

    Yes, you could but it's much more complicated.  

    Alternatively, I suppose you could just expose the VA in the "other properties" (?) tab in the MMC, control its contents (for example must be blank or TRUE) and have the techs select it and save the change to trigger the workflow.

  • 0 4 days ago in reply to JohnnyQuest

    ya.. bummer.  If the techs have to open the user record to update the attribute... they might as well just update the home folder properties manually.

    It is awfully strange that each policy setting within a policy object is not SAVED after each one is applied.

    This seems like a simple task yet impossible to achieve.

    Thanks for your ideas.