Topic
  • 3 replies
  • Latest Post - ‏2014-08-26T05:58:13Z by yn2000
jdell
jdell
105 Posts

Pinned topic ITIM 5.1 - Safely deleting a service

‏2014-08-06T06:03:44Z |
Hello,
 
We have two ITIM environments - DEV and PROD.  In our PROD environment, there are two services (AD and RACF) that are linked to the AD and RACF accounts in our DEV environment.  For various reasons, we need to remove this link between the services defined in our PROD TIM environment and the corresponding managed resources in our DEV environment.
 
I'm looking for some advice/comments on how to safely delete a service from ITIM without possibly deleting the accounts on the managed resource - of course I would like the account info removed from the TIM LDAP.
 
The help page in the ITIM admin console for "deleting services" states the following:
 
"Click to delete the selected service and remove all accounts on that particular service from the system. The accounts
are not removed from the resource. Deleting a service automatically removes it from all provisioning policies, identity
policies, password policies, adoption policies, and recertification policies that currently reference it. In addition, 
if all services that are referenced by a policy are deleted by this operation, the entire policy is also deleted."
 
So the description above makes me happy as it appears to do what I really want to do when deleting a service - i.e. remove the service, remove the account information from the TIM LDAP and DO NOT delete the accounts on the managed resource.
 
However, in the info centre, under "deleting provisioning policy" it simply states:
 
"Deleting a provisioning policy removes all accounts that this policy created."
 
In my eyes, this is a rather ambiguous statement - is it the actual account or the account information in the TIM LDAP that is being referred to?
 
Under the deleting a service info, it says that the service will be automatically removed from any provisioning policies (PP). Does the PP actually run after that? The only PPs that reference these services in TIM PROD are the default PPs and these services are the only entitlements on the PPs (no parameters) - provisioning option is Manual.
 
I did a test and set the policy enforcement for the AD service to Mark and then issued a PP preview after removing the AD service from the entitlements - the result was that it disallowed a few hundred accounts that had owners.  I'd imagine that the action would have been to "delete account" if the enforcement was set to Correct (which it usually is).  And that is my concern - just not sure what would happen when deleting the service and the service gets removed from the PP would the enforcement still apply, and if not, what would happen when the PP gets deleted?
 
So after that rather long-winded diatribe, I'm in a mild state of confusion and would be happy to hear from others on the best approach to take.  The options I have in mind are:

1) Trust the statement under the "deleting a service" help and just delete the service.

2) Change the enforcement to "Mark" on the service, delete the service from the PP entitlement or delete the PP (?), run the PP and then delete the service.

3) Orphan off the accounts in our TIM PROD environment and then delete the service (really hate this one).

 
Regards,
JD
 
  • goonitsupport
    goonitsupport
    117 Posts

    Re: ITIM 5.1 - Safely deleting a service

    ‏2014-08-06T12:19:14Z  

    Yes I understand your concerns.

     

    I would do the following: -

    1. Backup the LDAP server
    2. Amend the Service so the URL and Account being used were incorrect (thereby preventing any changes going to the Adapter)
    3. Delete the service

    From memory I think ISIM/ITIM refuses to delete the service whilst it has any accounts but maybe they have fixed this. I think you used to have to manually remove the definitions from LDAP (handle with care).

    Best regards

    Updated on 2014-08-06T12:23:38Z at 2014-08-06T12:23:38Z by goonitsupport
  • jdell
    jdell
    105 Posts

    Re: ITIM 5.1 - Safely deleting a service

    ‏2014-08-07T23:35:17Z  

    Yes I understand your concerns.

     

    I would do the following: -

    1. Backup the LDAP server
    2. Amend the Service so the URL and Account being used were incorrect (thereby preventing any changes going to the Adapter)
    3. Delete the service

    From memory I think ISIM/ITIM refuses to delete the service whilst it has any accounts but maybe they have fixed this. I think you used to have to manually remove the definitions from LDAP (handle with care).

    Best regards

    Hi goonitsupport,

    Thanks for replying. Gees, deleting a service appears to be a real "hair raising" experience.

    When you say back up the LDAP server, are you referring to the TIM LDAP?

    I understand that changing the URL in the service definition would stop any "accidental" deletion of accounts, however this would still leave the account objects in the TIM LDAP - and that would be an exercise in itself to remove - more so because you can't be sure that you're removing every reference to the accounts in the TIM LDAP.  Same applies to removing definitions "manually" from the LDAP.

    I really feel uncomfortable about manually amending the TIM LDAP directly any time - but especially for this kind of exercise.  I hope I'm being over cautious with this query.  I will raise a PMR with IBM and get some advice/confirmation on this matter.

    Regards,

    JD

  • yn2000
    yn2000
    1112 Posts

    Re: ITIM 5.1 - Safely deleting a service

    ‏2014-08-26T05:58:13Z  
    • jdell
    • ‏2014-08-07T23:35:17Z

    Hi goonitsupport,

    Thanks for replying. Gees, deleting a service appears to be a real "hair raising" experience.

    When you say back up the LDAP server, are you referring to the TIM LDAP?

    I understand that changing the URL in the service definition would stop any "accidental" deletion of accounts, however this would still leave the account objects in the TIM LDAP - and that would be an exercise in itself to remove - more so because you can't be sure that you're removing every reference to the accounts in the TIM LDAP.  Same applies to removing definitions "manually" from the LDAP.

    I really feel uncomfortable about manually amending the TIM LDAP directly any time - but especially for this kind of exercise.  I hope I'm being over cautious with this query.  I will raise a PMR with IBM and get some advice/confirmation on this matter.

    Regards,

    JD

    Yup, raising PMR would be the best avenue, because I am posting another version of deleting a service story.

    In one of ISIM version, which probably newer than Mr. goonitsupport version, but older than the current publication, I can delete a service, including the accounts, but I cannot delete a service if there is still Prov. Pol. attach to it, unless the Prov. Pol. is profile base, not service base. So, it depends on the type of the Prov. Pol. too. Delete service will automatically delete the accounts, provided that you install timdelref properly. Mostly you do, but hey we can run ISIM without timdelref installed. This will not trigger deletion of the account in the resource, because timdelref works in the background and it is only LDAP data manipulation (deletion).

    Deletion of a Prov. Pol. is a different story, because it is a front end process where all changes will trigger evaluation of the policy. Deleting Prov. Pol. may damage your resource data. Well, of course it depends on how you set the Service enforcement policy too.

    Nevertheless, like Mr. goonitsupport say, you have to have a backup on everything, including the backup of the target resource, right? And you should test all of these theories before doing anything that impact PROD data, right?

    Good luck.

    Rgds. YN