We have two ITIM environments - DEV and PROD. In our PROD environment, there are two services (AD and RACF) that are linked to the AD and RACF accounts in our DEV environment. For various reasons, we need to remove this link between the services defined in our PROD TIM environment and the corresponding managed resources in our DEV environment.
I'm looking for some advice/comments on how to safely delete a service from ITIM without possibly deleting the accounts on the managed resource - of course I would like the account info removed from the TIM LDAP.
The help page in the ITIM admin console for "deleting services" states the following:
"Click to delete the selected service and remove all accounts on that particular service from the system. The accounts
are not removed from the resource. Deleting a service automatically removes it from all provisioning policies, identity
policies, password policies, adoption policies, and recertification policies that currently reference it. In addition,
if all services that are referenced by a policy are deleted by this operation, the entire policy is also deleted."
So the description above makes me happy as it appears to do what I really want to do when deleting a service - i.e. remove the service, remove the account information from the TIM LDAP and DO NOT delete the accounts on the managed resource.
However, in the info centre, under "deleting provisioning policy" it simply states:
"Deleting a provisioning policy removes all accounts that this policy created."
In my eyes, this is a rather ambiguous statement - is it the actual account or the account information in the TIM LDAP that is being referred to?
Under the deleting a service info, it says that the service will be automatically removed from any provisioning policies (PP). Does the PP actually run after that? The only PPs that reference these services in TIM PROD are the default PPs and these services are the only entitlements on the PPs (no parameters) - provisioning option is Manual.
I did a test and set the policy enforcement for the AD service to Mark and then issued a PP preview after removing the AD service from the entitlements - the result was that it disallowed a few hundred accounts that had owners. I'd imagine that the action would have been to "delete account" if the enforcement was set to Correct (which it usually is). And that is my concern - just not sure what would happen when deleting the service and the service gets removed from the PP would the enforcement still apply, and if not, what would happen when the PP gets deleted?
So after that rather long-winded diatribe, I'm in a mild state of confusion and would be happy to hear from others on the best approach to take. The options I have in mind are:
1) Trust the statement under the "deleting a service" help and just delete the service.
2) Change the enforcement to "Mark" on the service, delete the service from the PP entitlement or delete the PP (?), run the PP and then delete the service.
3) Orphan off the accounts in our TIM PROD environment and then delete the service (really hate this one).