Deprovision on Role / Assignment Revoke for Connector

nick.hunt · September 12, 2023, 2:26pm

I have the database table connector deployed and have the livesync turned off / provisioning based on a reconcialtion filter (for the effectiveAssignment) and is all working fine. But, when the effective assignment goes away, the user is not getting revoked. Is there a behavior / update that needs to happen to revoke / remove the accoiunt from the target system?

Thanks
Nick

patrickdiligent · September 12, 2023, 11:39pm

Hi @nick.hunt,

Can you provide more details about the reconciliation mapping, and in particular the treatment that is applied to “effectiveAssignment”?

Note: usually relationship changes require some additional processing with an onCreate and onUpdate hooks
Regards
Patrick

nick.hunt · September 13, 2023, 12:09am

For the reconciliation mapping, this is for the managedUser → app, I have a query that matches on effectiveRoles to provision the user to the target (this works fine). Now, when the user is removed from that role (the filter is no longer active), the user is still in the target app so need it removed.

You mentioned the change in relationship, would there need to be an onupdate event or something? If the user is no longer in the filter, how do you trigger the event for the removal?

Nick

patrickdiligent · September 13, 2023, 12:40am

Hi @nick.hunt,

So assigning a role to a user triggers user’s access to the corresponding app, and since this is a Table Database connector, I would assume that this updates an “app” column in the database. Rather that using effective roles to trigger the app assignment, why not using the already available mechanism with Role/Assignment? e.g create an Assignment, linked to the mapping, with the target attribute and associated value - choose type, e.g commonly used “mergedWithTarget” - that should do the trick with little effort. Then add the assignment to the role. Adding the role to the user will automatically trigger the user provisioning (or deprovisionning if the role is removed). Have you considered this? See Use assignments to provision users :: IDM 7.3.0

Regards
Patrick

nick.hunt · September 13, 2023, 1:13am

This is what i am using, by adding the user to the role, I have my filter for the effectiveAssignment to do the provisioning to the target and everything works / updates flow like they should (e.g. name updates). Problem is, when I remove from the role, effectiveAssignments goes away, this does not clean up the account in the target db (issue a delete for the row). I am trying to find the reverse to do the cleanup / revoke.

nick.hunt · September 13, 2023, 1:19am

I see what you’re saying now in terms of the ‘attributes’ part of the tab, i am just using the mappings to map the data from the user object into attributes. So, if I use this approach for say the ‘NAME’ attributes, will this remove just the name or will it remove all attributes for the user?

Also, if on revoke, I just want to set a status column in the target to say ‘disabled’, would that be a script (do I just set an attribute value)?

Nick

nick.hunt · September 13, 2023, 1:26am

Also, assuming I can remove the recon filter on the mapping for this (and also disable this for livesync since is based on the assignment to the mapping?

patrickdiligent · September 13, 2023, 1:54am

Hi @nick.hunt

What is a “recon filter”? Do you mean a sourceQuery?

I actually don’t understand this statement:

I have my filter for the effectiveAssignment to do the provisioning to the target

And I don’t know what is an ‘effectiveAssigment’? Are you referring to a custom property in the managed User, or something else?

If you base the provisioning solely on mapping user attributes to the target - for this to work I would have an onUpdate (and onCreate) script to process the roles and set the target attribute to the expected value.

Or, use the OOTB Role/Assignment feature.

Regards
Patrick

nick.hunt · September 13, 2023, 2:11am

so, in terms of setup, OOTB it has the live sync enabled when you create the mapping, I disabled that first. Then, created an assignment (no attributes in the assignment, just the target mapping) but nothing was happening with just an assignment / role for the target. So, in the mapping, added a reconcialtion filter on managedUser/effectiveAssignments for the assignment and this triggers the provisioning now. But, when I remove the assignment now, it is not triggering the removal.

So, based on the above, feedback, to confirm, if I remove the reconciliation mapping filter for the user / assignment (working now), update the assignment for the mapping to include the attributes (empty at this point for values since they should get them from the object) then mark the on revoke to remove them for each attribute this should work?

Nick

patrickdiligent · September 13, 2023, 3:39am

Hi @nick.hunt,

I have still difficulties in understanding the use case.

So, in the mapping, added a reconcialtion filter on managedUser/effectiveAssignments

Can you please back this statement with IDM configuration/scripting? In fact a detailed usecase with configuration extracts would greatly help,

Regards
Patrick

nick.hunt · September 13, 2023, 1:47pm

No worries. Ok, so I have the mapping for the db table connector, under advanced, turned off live sync. Created an assignment for the mapping / attached to a role for the user but this was not triggering anything (do not have any attributes mapped in the assignment since have those mapped in the mapping). This was not triggering anything in terms of provisioning users to the target mapping. So, added a source query to the mapping with the below code and this is triggering now to push users to the mapping / target.

"source": "managed/user",
      "sourceQuery": {
        "_queryFilter": "/effectiveAssignments/name co \"App10Assignment\""
      },
      "sourceQueryFullEntry": true,
      "target": "system/App10DB/__ACCOUNT__"

But, when this source query is no longer applicable, the user is not being removed.

Nick

patrickdiligent · September 14, 2023, 12:31am

So @nick.hunt what you call “recon filter” is a “sourceQuery” [Filter synchronization data :: IDM 7.3.0]. Please let’s stick to IDM configuration terminology. So indeed the user is not deprovisionned, since the user object does not have the assignments anymore and therefore is not selected by the sourceQuery - not part of the source dataset. And it seems that using the Role/Assignment provisioning scheme is still a good candidate to solve this use case.

Regards
Patrick

nick.hunt · September 14, 2023, 12:52am

yes, ultimately, want to get to the role / assignment.

So, lets go down this path. I remove the sourceQuery from mapping for managedUser->App1, under advanced I disabled the livesync for this mapping (since do not want all users to be pushed to this db). Now, in the assignment I have mapped to this mapping, under attributes (which is empty right now), I added each attribute that is in the target and leave them black for now (since they’ll get the user object values from the mapping? Then, on the deprovision action, can just use that deprovision action to set the status / to inactive?

patrickdiligent · September 14, 2023, 1:43am

The assignment would include:

The mapping to which it applies. In this case, the mapping from managed/user to the database table connector
The attribute to update in the target - a multivalued attribute I assume in your case
The value of the assignment “App1”
“assignmentOperation”: “mergeWithTarget”,
“unassignmentOperation”: “removeFromTarget”

Then when adding the assignment to the user, the provisioning should occur, revoking the assignment from the user should de-provision.

Regards
Patrick