New to the TIM/TAM world. We are creating a sandbox environment to test reconciliation between various systems (AD, e-mail, HR, UNIX, etc....). Is there an easy way to disable all of the provisioning policies at one time?
Pinned topic ITIM 5.1 disable provisioning policies
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-14T12:48:39Z at 2013-02-14T12:48:39Z by SystemAdmin
Re: ITIM 5.1 disable provisioning policies2013-02-07T17:43:18ZThis is the accepted answer. This is the accepted answer.Not officially - but you can make do an ldapsearch and pipe that into an ldapmodify to change the status to disabled.
You can do this in a supported way using the APIs - but the result is the same for now - if you are concerned with this - stick to the APIs.
But you have to make yourself clear what you are trying to do - disabling ALL policies will make all accounts disallowed - what you should rather run with policy evaluation on and services set to Mark - this way you will be able to see what policy violation there are by searching for non-compliant accounts.
My advice - use some time to play with a service and some policies (using both reconciliation and preview in the policy) to find out how things works.
Re: ITIM 5.1 disable provisioning policies2013-02-08T08:16:55ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
The quick answer. Make a ldapmodify to set the erenabled attribute equal to false on the Provisioning Policies. Since, it is not a procedure tested by me, please make some trials. Nevertheless, as Franz said, take into consideration it is not a official procedure.
If you aim to avoid the policies evaluations trigger requests on the managed systems, there are different ways such as:
- set the Policy Enforcement Action on the Services definition to Mark Non-complaint. Be aware, it doesn't avoid new accounts would be created, as there is no an initial account it is not take into consideration as a policy violation.
- define a new value equal to com.ibm.itim.remoteservices.ResourceProperties.IS_LOCAL=TRUE for the erproperties attribute on the services definitions. It avoids requests go to the adapters. The bad news: again it should be done by means of ldapcomand/ldapbrowser. You can find the service definition on LDAP leaf named erobjectprofilename=< profile name>,ou=serviceProfile,ou=tim,ou=XXX,dc=XXX
I hope it help.
Re: ITIM 5.1 disable provisioning policies2013-02-14T12:48:39ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK