AD entitlement failed to revoke, so AD accounts are not disabling

Hi Team,

In my project migration works are running. Suddenly offboard process has been failed. Not sure where and how its broken.

1> Once off-board the employee loginDisabled and empType value has been changed.

2> But AD entitlement is not revoking, because of this AD account is not disabled.

3> Manually revoke the AD-Entitlement, accounts moved to disabled state.

Could you suggest how to figure out how and where to find the cause.

Thanks

Naveen

  • 0  

    What is granting the AD Entitilement?  You need to do the inverse when your conditions are met.  The AD driver by itself in no way implements either step (Granting the entitilement, nor revoking it).

    Are you granting via the Entitlements Service Driver?  (Which is deprecated, not sure when it is going to stop working).  Dynamic groups assigned a Role?  Roles directly?  Policy in a Loopback driver?

  • 0 in reply to   

    Thank you for your support Geoffrey

    Yes, We are assigning the AD role through servers when conditions met and based role grant the AD entitlement and create the user account in AD.

    But I am not seeing the removing the role policy in the drivers when inactivate the user. its causing still user is active state in AD.

    Recently migrated the drivers from old servers to new servers, then issue started. any other ways to check role revoke.

    What are the ways available in NetIQ to revoke the roles or entitlement.

    Thanks

    Naveen

  • 0   in reply to 

    You wrote:

    Yes, We are assigning the AD role through servers when conditions met

    You mean there is a policy somehwere that grants the Role?  Can you find that code?  Does it handle the case when the user moves AWAY from the conditions, and calls for a revoke?  If not, you will have to add that

    Reading further you wrote:

    But I am not seeing the removing the role policy in the drivers when inactivate the user. its causing still user is active state in AD.

    Why would you revoke just because someone is inactive?  You might want that, and if so, write such a policy.  But what happens when they come back active?  Should it be regranted?  Maybe it will, depending on how your policy that grants it is defined.

    Usually you want to grant/revoke based on say demographic info, lik Department, Location, Cost Center, etc.  So when  those change, old Role is revoked, new one is granted.

    Revoke all on make inactive is a different approach.  Also realize a mistaken inactivate will remove permissions that might be slightly painful tp put back. 

  • 0 in reply to   

    you mean there is a policy somehwere that grants the Role?  Can you find that code?  Does it handle the case when the user moves AWAY from the conditions, and calls for a revoke?  If not, you will have to add that

    Yes, we have policy grant the role for new user or rehire user. but i am not seeing any policy revoke the role for inactivation.

    Usually, inactivation process was running smoothly after migration it has failed to disable the user account in AD(user access control should be 514).

    When we manually revoke the entitlement (value changed 1 to 0), AD account got disabled.

    Thanks

    Naveen

  • 0   in reply to 

    Ok. So is the issue that you cannot find the code that does the Revoke on Disable? Not sure how to help you with that.

    If you want help WRITING an example that would do that, can help you with any issues you have in trying that. 

    But othrwise, what is your specific question at this point?

  • 0 in reply to   

    I am not getting how its suddenly broken after migration. Based on empstatus attribute entitlement should be revoke. its not happening.

    Is any configurations missed our end while migration.

    Any clues so I can find the solution step.

    Thanks

    Naveen