Yes I already have all this in place . Expiration Date in Provisioning Policy for AD Service (Parameter) is set as mandatory and java script as below
Enrole.log("Employee Type is ::",subject.getProperty("employeetype")[0]);
if((subject.getProperty("employeetype")!=null) && (subject.getProperty("employeetype").length>0)&&(subject.getProperty("employeetype")[0].equals("N-Contractor")))
{
Enrole.log("Employee Type is Contractor",subject.getProperty("employeetype")[0]);
Enrole.log("Term Date is ",subject.getProperty("bablTermDate_i")[0]);
if((subject.getProperty("bablTermDate_i")!=null) && (subject.getProperty("bablTermDate_i").length>0))
{
if(subject.getProperty("bablTermDate_i")){
Enrole.log("Expiration Date is not null",subject.getProperty("bablTermDate_i")[0]);
var sdate=subject.getProperty("bablTermDate_i").toString();
Enrole.log("Expiration Date String is ",sdate);
var sdate1=sdate+"1300Z";
Enrole.log("Final Expiration Date String is ",sdate1);
return sdate1;
}
}
else{
Enrole.log("BablTermDate ::","is Null String");
//At this point I dont want the code to return anything but in this usecase it is setting the expiry date in AD as 0.
}
}
else{
Enrole.log("Employee Type is not contractor::",subject.getProperty("employeetype")[0]);
return "";
}
------------------------------
Sahana Kakolu
------------------------------
Original Message:
Sent: Tue December 13, 2022 03:24 AM
From: Franz Wolfhagen
Subject: ISVG : AD Adapter is not populating accountExpires Correctly
To have this automated it requires a couple of things :
- The person must be in a role that is driving the provisioning policy
- The service must be set as "Correct Compliance"
- The parameter on the provisioning policy must be set to "mandatory"
Now - the 3 things is pretty simple to do - but switching a service into "correct compliance" mode may have devastating consequences as this basically means that policies WILL be enforced for all attributes and eventual non-compliancy enforced and disallowed accounts will be removed with no mercy ;-)
You can do some workarounds - but basically you should design your system to be able to perform this (we call it "ISIM hybrid provisioning" in the internal IBM community) as this is no easy task for a complex system like Windows AD.
HTH
------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Tue December 13, 2022 02:54 AM
From: Sahana Kakolu
Subject: ISVG : AD Adapter is not populating accountExpires Correctly
Agree , what I want to achieve is that when the Term date is updated as null in User form, I dont want the AD Expiration date in AD Account form and in AD to be updated but want it to be updated when Term Date in user form is not null .
Thanks,
Sahana
------------------------------
Sahana Kakolu
Original Message:
Sent: Tue December 13, 2022 02:47 AM
From: Franz Wolfhagen
Subject: ISVG : AD Adapter is not populating accountExpires Correctly
I have not the time to test it right now - but I believe what you need to do is to return null in the provisioning policy when the person attribute is not a valid date. That should delete the AD expiry data instead of setting it to "0".
If this does not work you could set a far future date like 20991231 on the account as a workaround - this is not beautiful but should work...
HTH
------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Tue December 13, 2022 02:36 AM
From: Sahana Kakolu
Subject: ISVG : AD Adapter is not populating accountExpires Correctly
Hi All,
I want to populate expiry date in AD with a string for only contractors. I am able to achieve this in provisioning policy by checking for contractor type and then setting the value from a field called TermDate in User form which contains the Termination/Expiry date of the user. But when the Term Date is updated as null, the Expiry Date is getting set as 0 . How can this be handled , for contractors if in user form the term date is set as null then we dont want the expiry date in AD to be reset in AD Account form and in AD
Please help .Tried a lot of things but does not work.
Thanks,
Sahana
------------------------------
Sahana Kakolu
Original Message:
Sent: Wed November 09, 2022 10:44 PM
From: Sahana Kakolu
Subject: ISVG : AD Adapter is not populating accountExpires Correctly
Hi,
We have ISVG and AD Adapter . In the provisioning policy there is a code to populate Expiration Date in AD Account Form with a value in User Form -attribute TermDate which is a date object has a format YYYYMMDD.
1. When the new user is added an AD Account , the value in TermDate is populated into Expiration Date , the date value is reflected but the Time is set as when the account is created in AD for Account Expires in AD. eg : if term date is 20221202 then in AD it will be 20221202 and timestamp will show when AD was provisioned. But the AD Account form in ISVG always shows Expiration date as never expires
2. When the TermDate in user form is updated, the AD Account form in ISVG when seen from LDAP view is reflected but the UI of Account form shows as never expires. Also in AD the value shows as never expires-0.
Please help.
How do I populate AD Expires in AD with the Value in User form?
Thanks,
Sahana
------------------------------
Sahana Kakolu
------------------------------