Highlighted
Respected Contributor.
Respected Contributor.
1397 views

Clear Manager Attribute from AD upon Termination

Hi,

I am trying to remove or clear the manager attribute in AD after a user has been Terminated. In our AD driver I have called the clear Source attr Manager and clear Source attr ManagerWorkforceID. This successfully removes these fields from eDir. I go to AD and the Manager is still there. I see the RL processing the call but it wants to add the manager back in. I assume this has to do with eDir and AD attribute differences and AD not allowing a blank value to be placed in Manager field? Has someone set this up before? To remove/clear the manager field from AD when a user is terminated? Any help is greatly appreciated.

Thanks!
Casey
Labels (1)
0 Likes
15 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Clear Manager Attribute from AD upon Termination

On your microsoft active directory (MAD) driver config you can add a
policy that detects the termination (however that happens) and then
deletes the target attribute value, though in theory if you have one
driver remove the attribute in eDirectory (the Identity Vault (IDV)) then
that should flow through the other drivers too. It may help us understand
better if you describe the source of the terminate, and post a trace of
the MAD side. An add of a zero-length something is not the same as a
removal of something else, so if you are seeing the former, something is
wrong.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Clear Manager Attribute from AD upon Termination

cosborne;2482356 wrote:
Hi,

I am trying to remove or clear the manager attribute in AD after a user has been Terminated. In our AD driver I have called the clear Source attr Manager and clear Source attr ManagerWorkforceID. This successfully removes these fields from eDir. I go to AD and the Manager is still there. I see the RL processing the call but it wants to add the manager back in. I assume this has to do with eDir and AD attribute differences and AD not allowing a blank value to be placed in Manager field? Has someone set this up before? To remove/clear the manager field from AD when a user is terminated? Any help is greatly appreciated.

Thanks!
Casey


I have "similar" logic (cleanup manager attribute) during termination and never have any issue with this process.

Casey, I have a number of questions about your data flow:
1. What driver removes manager attribute during termination?
I hope, that you use a special driver with business logic for this operation. AD driver detects changes in eDir and propagates this change to AD.

2. Do you have any "move" activity during your termination process? (for example move object from Active to Inactive OU)

I completely agree with Aaron: if you really expect help - please provide trace of these events. Better from both ends (engine and remote loader)

Alex
Highlighted
Respected Contributor.
Respected Contributor.

Re: Clear Manager Attribute from AD upon Termination

al_b;2482358 wrote:
I have "similar" logic (cleanup manager attribute) during termination and never have any issue with this process.

Casey, I have a number of questions about your data flow:
1. What driver removes manager attribute during termination?
I hope, that you use a special driver with business logic for this operation. AD driver detects changes in eDir and propagates this change to AD.

2. Do you have any "move" activity during your termination process? (for example move object from Active to Inactive OU)

I completely agree with Aaron: if you really expect help - please provide trace of these events. Better from both ends (engine and remote loader)

Alex


1. Currently we do not remove Manager at Termination. I am adding it to AD driver since that is where we got request, we need Manager removed from users AD account when termed. The driver that triggers the term is in most cases from our HR Termination driver that processes terminations for employees. This flips user status to Terminated. We key off of user status in our Loopback driver for somethings, and the AD driver for the user AD object.

2. Yes, we do perform a move of the user AD object upon Termination to Disabled OU. In fact we recently added code to keep the DirXML-ADContext field updated when the AD object is moved. In the past when AD object moved to Disabled OU, the DirXML-ADContext would blank out. The move is successful, the attributes are removed from eDir, but Manager is not removed from the AD object.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Clear Manager Attribute from AD upon Termination

Assuming the manager attribute is in the Filter properly, and the
association is current, and the event is not otherwise vetoed, and rights
in microsoft active directory (MAD) allow IDM to clear this, it should
work. Let's see the trace from engine and Remote Loader (RL) of the
terminate from the perspective of the MAD driver config.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Clear Manager Attribute from AD upon Termination

On 6/11/2018 6:54 PM, cosborne wrote:
>
> Hi,
>
> I am trying to remove or clear the manager attribute in AD after a user
> has been Terminated. In our AD driver I have called the clear Source
> attr Manager and clear Source attr ManagerWorkforceID. This successfully
> removes these fields from eDir. I go to AD and the Manager is still
> there. I see the RL processing the call but it wants to add the manager
> back in. I assume this has to do with eDir and AD attribute differences
> and AD not allowing a blank value to be placed in Manager field? Has
> someone set this up before? To remove/clear the manager field from AD
> when a user is terminated? Any help is greatly appreciated.


So if you r AD driver, Sub channel does a clear Source Attr of Manager,
that will not loop back into AD since the driver itself did the work.

Now as it turns out, the way the AD driver works, if you were in the Pub
channel and did clear source attr, that would update AD, which would
initially loop back to the IDV. Normally, since the change comes from
the IDV Optimize MOdify checks, sees the values are the same, and
determines that no change is neccesary so it effectively does not loop
back. Or more correcty the loop quickly tamps down.

But in this case, since the IDV would be different it should flow to the
IDV the change.


Highlighted
Respected Contributor.
Respected Contributor.

Re: Clear Manager Attribute from AD upon Termination

geoffc;2482374 wrote:
On 6/11/2018 6:54 PM, cosborne wrote:
>
> Hi,
>
> I am trying to remove or clear the manager attribute in AD after a user
> has been Terminated. In our AD driver I have called the clear Source
> attr Manager and clear Source attr ManagerWorkforceID. This successfully
> removes these fields from eDir. I go to AD and the Manager is still
> there. I see the RL processing the call but it wants to add the manager
> back in. I assume this has to do with eDir and AD attribute differences
> and AD not allowing a blank value to be placed in Manager field? Has
> someone set this up before? To remove/clear the manager field from AD
> when a user is terminated? Any help is greatly appreciated.


So if you r AD driver, Sub channel does a clear Source Attr of Manager,
that will not loop back into AD since the driver itself did the work.

Now as it turns out, the way the AD driver works, if you were in the Pub
channel and did clear source attr, that would update AD, which would
initially loop back to the IDV. Normally, since the change comes from
the IDV Optimize MOdify checks, sees the values are the same, and
determines that no change is neccesary so it effectively does not loop
back. Or more correcty the loop quickly tamps down.

But in this case, since the IDV would be different it should flow to the
IDV the change.


Yes right now on the SUB channel, command, we have policy HandleTermsandRehires, that is where I have the remove src attr manager and src attr managerWorkforceID. Like I said removes them from eDir but no change in AD.

Should I try this same code on the PUB side command? I think our filters are set to ignore or notify on the PUB side since we want IDV (SUB) writing everything to AD, being the "source of truth", and we want eDir to control the data in AD not let AD write back to IDV.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Clear Manager Attribute from AD upon Termination

On 06/12/2018 09:54 AM, cosborne wrote:
> Yes right now on the SUB channel, command, we have policy
> HandleTermsandRehires, that is where I have the remove src attr manager
> and src attr managerWorkforceID. Like I said removes them from eDir but
> no change in AD.


On the microsoft active directory (MAD) driver config, though? That's the
problem, then. This has nothing to do with synchronizing to/from MAD, but
instead has to do with the business logic of your organization,
specifically that when you are terminated your object loses its attribute
value pointing to a former manager. That all makes sense, but since it
has nothing to do with synchronization to MAD, it should not be done on
the MAD driver config, but instead on a business logic driver config
completely separate of any synchronization driver config.

> Should I try this same code on the PUB side command? I think our filters
> are set to ignore or notify on the PUB side since we want IDV (SUB)
> writing everything to AD, being the "source of truth", and we want eDir
> to control the data in AD not let AD write back to IDV.


No, you are right to keep the IDV authoritative, and this basically
offloads it two levels (a sync driver, as you already have it, but also
requiring loopback through a non-authoritative application, which is
more-bad than the current setup, which is only a little bad).

Create a new Null driver config object, named something like
business-logic-a (in case you want multiples someday), and then add a
policy in its Sub Event Transformation policyset which watches for the
terminate and then write back (to source, the IDV) the removal of the
manager attribute. Add vetoes into the Matching policyset and Command
Transformation policyset as basically you always do things in the Event
Transformation Policyset on the Sub channel and this will minimize
processing down the road.

With that done, your MAD driver config should pick up the removal
immediately and synchronize it like anything else. Better yet, when MAD
goes away and you replace it with something else (or just drop it
altogether) you do not lose business logic (cleanup of a manager
attribute) just because you happened to drop one of many applications, all
which want that business logic.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Clear Manager Attribute from AD upon Termination

OK we have a loopback driver currently. We use it to make changes to users when there status is Terminated. Could I try and put the remove manager commands there instead of creating a new Null/Loopback driver? Would this have the same effect, the loopback/Null making the changes to eDir manager attribute and then picked up by AD driver and synced?

Thanks,
Casey
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Clear Manager Attribute from AD upon Termination

On 06/12/2018 12:04 PM, cosborne wrote:
>
> OK we have a loopback driver currently. We use it to make changes to
> users when there status is Terminated. Could I try and put the remove
> manager commands there instead of creating a new Null/Loopback driver?
> Would this have the same effect, the loopback/Null making the changes to
> eDir manager attribute and then picked up by AD driver and synced?


Yes, sure, that would be fine. If it is already handling termination
stuff, then having it handle all termination stuff sounds like the right
thing indeed.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Clear Manager Attribute from AD upon Termination

OK so I have removed the clear source attr code from AD SUB command and put it with our Null/Loopback driver that handles other things related to TERM. It is working great so far in TEST. upon TERM status I have clear source attr manager and manager workforceID, after a couple of passes (minutes), the loopback driver meets(or detects) these conditions and clears the attributes. I see the AD log detect this and send the REMOVE/MODIFY on these ATTR. I see the RL doing a REMOVE of the current manager, finally in ADUC I see that Manager field is cleared out.

Thanks everyone for their input and support!

-Casey
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Clear Manager Attribute from AD upon Termination


> Yes right now on the SUB channel, command, we have policy
> HandleTermsandRehires, that is where I have the remove src attr manager
> and src attr managerWorkforceID. Like I said removes them from eDir but
> no change in AD.


So Sub channel, Source Attr is write back to the IDV. eDir is smart
enough to know, this is an event generated by itself, and thus will not
send it to AD.

Therefore, simply
Clear Source Attr
Clear Dest Attr

in the same policy.


> Should I try this same code on the PUB side command? I think our filters
> are set to ignore or notify on the PUB side since we want IDV (SUB)
> writing everything to AD, being the "source of truth", and we want eDir
> to control the data in AD not let AD write back to IDV.
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.