Hi All,
We have a use case for SAP deprovisioning where we need to set a user group, remove the roles and clear SNC field. I am using below for user group and roles:
While disable account the account status is locked but the user group, roles and SNC use case is not getting fulfilled.
Am I missing any configuration here as I cannot find any error in logs.
Thanks,
Bhushan
Use case:
If the user is terminated, remove the roles, disable the account, move the usergroup and clear SNC details
Solution:
- Create a user update rule where Eg:
status is updated and status = 0, create update account task and deprovision access - accounts and access. Screenshot referred
2. Set the TERMINATEDUSERGROUP to 'DISABLED' or any group of your choice in the connectorSet the TERMINATED_USER_ROLE_ACTION to 'REMOVE'
3. You can set the task execution heirarchy to Update Account Tasks followed by Remove Access and Remove Account
4. When the user is terminated, based on the rule - Update account task and Remove Access, Remove Account tasks are created
5. Add this in the update account json config of the connector:
Note: This is a sample json but you can modify it as per your requirement.
{
"ADDRESS": {
"LASTNAME":"${user.lastname}",
"FIRSTNAME": "${user.firstname}"
},
"LOGONDATA": {
"GLTGB": "99991231"
},
"SNC": {
"PNAME": "${if(user.statuskey='0'){' '} else {'p:cn=abc@dummy.com'}}"
}
}
If the user status is 0, SNC value will be cleared out and set to blank. If it is active, you can set whatever the value is. The above json has a dummy value.
Once the remove access tasks are processed, all the roles assigned to the user will be removed in SAP
When the remove account task is processed, the SAP account gets locked with value 64 in UFLAG and the usergroup will be set to DISABLED or any other value you have given in the connector.
Hope this helps 🙂
