IBM Security Verify

 View Only
  • 1.  ISVG : AD Adapter is not populating accountExpires Correctly

    Posted Wed November 09, 2022 10:45 PM
    Edited by Sahana Kakolu Wed November 09, 2022 10:45 PM
    Hi,

    We have ISVG and AD Adapter . In the provisioning policy there is a code to populate Expiration Date in AD Account Form with a value in User Form -attribute TermDate which is a date object has a format YYYYMMDD. 

    1. When the new user is added an AD Account , the value in TermDate is populated into Expiration Date , the date value is reflected but the Time is set as when the account is created in AD for Account Expires in AD. eg : if term date is 20221202 then in AD it will be 20221202 and timestamp will show when AD was provisioned. But the AD Account form in ISVG always shows Expiration date as never expires
    2. When the TermDate in user form is updated, the AD Account form in ISVG when seen from LDAP view is reflected but the UI of Account form shows as never expires. Also in AD the value shows as never expires-0.

    Please help.

    How do I populate AD Expires in AD with the Value in User form?

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------


  • 2.  RE: ISVG : AD Adapter is not populating accountExpires Correctly

    Posted Thu November 10, 2022 07:38 PM
    Figured this - passing string type to Expiration Date in AD Accounts Form solved the issue

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 3.  RE: ISVG : AD Adapter is not populating accountExpires Correctly

    Posted Tue December 13, 2022 02:37 AM
    Hi All,

    I want to populate expiry date in AD with a string for only contractors. I am able to achieve this in provisioning policy by checking for contractor type and then setting the value from a field called TermDate in User form which contains the Termination/Expiry date of the user. But when the Term Date is updated as null, the Expiry Date is getting set as 0 . How can this be handled , for contractors if in user form the term date is set as null then we dont want the expiry date in AD to be reset in AD Account form and in AD

    Please help .Tried a lot of things but does not work.

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 4.  RE: ISVG : AD Adapter is not populating accountExpires Correctly

    Posted Tue December 13, 2022 02:48 AM
    I have not the time to test it right now - but I believe what you need to do is to return null in the provisioning policy when the person attribute is not a valid date. That should delete the AD expiry data instead of setting it to "0".

    If this does not work you could set a far future date like 20991231 on the account as a workaround - this is not beautiful but should work...

    HTH

    ------------------------------
    Franz Wolfhagen
    WW IAM Consulting Leader - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 5.  RE: ISVG : AD Adapter is not populating accountExpires Correctly

    Posted Tue December 13, 2022 02:54 AM
    Agree , what I want to achieve is that when the Term date is updated as null in User form, I dont want the AD Expiration date in AD Account form and in AD  to be updated but want it to be updated when Term Date in user form is not null .

    Thanks,
    Sahana

    ------------------------------
    Sahana Kakolu
    ------------------------------



  • 6.  RE: ISVG : AD Adapter is not populating accountExpires Correctly

    Posted Tue December 13, 2022 03:25 AM
    To have this automated it requires a couple of things :
    1. The person must be in a role that is driving the provisioning policy
    2. The service must be set as "Correct Compliance"
    3. The parameter on the provisioning policy must be set to "mandatory"
    Now - the 3 things is pretty simple to do - but switching a service into "correct compliance" mode may have devastating consequences as this basically means that policies WILL be enforced for all attributes and eventual non-compliancy enforced and disallowed accounts will be removed with no mercy ;-)

    You can do some workarounds - but basically you should design your system to be able to perform this (we call it "ISIM hybrid provisioning" in the internal IBM community) as this is no easy task for a complex system like Windows AD.

    HTH

    ------------------------------
    Franz Wolfhagen
    WW IAM Consulting Leader - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 7.  RE: ISVG : AD Adapter is not populating accountExpires Correctly

    Posted Tue December 13, 2022 03:40 AM
    Yes I already have all this in place . Expiration Date in Provisioning Policy for AD Service (Parameter) is set as mandatory and java script as below 
    Enrole.log("Employee Type is ::",subject.getProperty("employeetype")[0]);

    if((subject.getProperty("employeetype")!=null) && (subject.getProperty("employeetype").length>0)&&(subject.getProperty("employeetype")[0].equals("N-Contractor")))
    {
    Enrole.log("Employee Type is Contractor",subject.getProperty("employeetype")[0]);
    Enrole.log("Term Date is ",subject.getProperty("bablTermDate_i")[0]);
    if((subject.getProperty("bablTermDate_i")!=null) && (subject.getProperty("bablTermDate_i").length>0))
    {
    if(subject.getProperty("bablTermDate_i")){
    Enrole.log("Expiration Date is not null",subject.getProperty("bablTermDate_i")[0]);
    var sdate=subject.getProperty("bablTermDate_i").toString();
    Enrole.log("Expiration Date String is ",sdate);
    var sdate1=sdate+"1300Z";
    Enrole.log("Final Expiration Date String is ",sdate1);
    return sdate1;
    }
    }
    else{
    Enrole.log("BablTermDate ::","is Null String");
    //At this point I dont want the code to return anything but in this usecase it is setting the expiry date in AD as 0. 
    }
    }
    else{
    Enrole.log("Employee Type is not contractor::",subject.getProperty("employeetype")[0]);
    return "";
    }

    ------------------------------
    Sahana Kakolu
    ------------------------------