Topic
  • 3 replies
  • Latest Post - ‏2013-02-14T12:48:39Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts

Pinned topic ITIM 5.1 disable provisioning policies

‏2013-02-07T16:37:48Z |
New to the TIM/TAM world. We are creating a sandbox environment to test reconciliation between various systems (AD, e-mail, HR, UNIX, etc....). Is there an easy way to disable all of the provisioning policies at one time?

Thanks
Chris
Updated on 2013-02-14T12:48:39Z at 2013-02-14T12:48:39Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM 5.1 disable provisioning policies

    ‏2013-02-07T17:43:18Z  
    Not officially - but you can make do an ldapsearch and pipe that into an ldapmodify to change the status to disabled.

    You can do this in a supported way using the APIs - but the result is the same for now - if you are concerned with this - stick to the APIs.

    But you have to make yourself clear what you are trying to do - disabling ALL policies will make all accounts disallowed - what you should rather run with policy evaluation on and services set to Mark - this way you will be able to see what policy violation there are by searching for non-compliant accounts.

    My advice - use some time to play with a service and some policies (using both reconciliation and preview in the policy) to find out how things works.

    HTH

    Regards
    Franz Wolfhagen
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM 5.1 disable provisioning policies

    ‏2013-02-08T08:16:55Z  
    Not officially - but you can make do an ldapsearch and pipe that into an ldapmodify to change the status to disabled.

    You can do this in a supported way using the APIs - but the result is the same for now - if you are concerned with this - stick to the APIs.

    But you have to make yourself clear what you are trying to do - disabling ALL policies will make all accounts disallowed - what you should rather run with policy evaluation on and services set to Mark - this way you will be able to see what policy violation there are by searching for non-compliant accounts.

    My advice - use some time to play with a service and some policies (using both reconciliation and preview in the policy) to find out how things works.

    HTH

    Regards
    Franz Wolfhagen
    Totally agree with Franz.

    The quick answer. Make a ldapmodify to set the erenabled attribute equal to false on the Provisioning Policies. Since, it is not a procedure tested by me, please make some trials. Nevertheless, as Franz said, take into consideration it is not a official procedure.

    If you aim to avoid the policies evaluations trigger requests on the managed systems, there are different ways such as:
    • set the Policy Enforcement Action on the Services definition to Mark Non-complaint. Be aware, it doesn't avoid new accounts would be created, as there is no an initial account it is not take into consideration as a policy violation.
    • define a new value equal to com.ibm.itim.remoteservices.ResourceProperties.IS_LOCAL=TRUE for the erproperties attribute on the services definitions. It avoids requests go to the adapters. The bad news: again it should be done by means of ldapcomand/ldapbrowser. You can find the service definition on LDAP leaf named erobjectprofilename=< profile name>,ou=serviceProfile,ou=tim,ou=XXX,dc=XXX

    I hope it help.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: ITIM 5.1 disable provisioning policies

    ‏2013-02-14T12:48:39Z  
    Totally agree with Franz.

    The quick answer. Make a ldapmodify to set the erenabled attribute equal to false on the Provisioning Policies. Since, it is not a procedure tested by me, please make some trials. Nevertheless, as Franz said, take into consideration it is not a official procedure.

    If you aim to avoid the policies evaluations trigger requests on the managed systems, there are different ways such as:
    • set the Policy Enforcement Action on the Services definition to Mark Non-complaint. Be aware, it doesn't avoid new accounts would be created, as there is no an initial account it is not take into consideration as a policy violation.
    • define a new value equal to com.ibm.itim.remoteservices.ResourceProperties.IS_LOCAL=TRUE for the erproperties attribute on the services definitions. It avoids requests go to the adapters. The bad news: again it should be done by means of ldapcomand/ldapbrowser. You can find the service definition on LDAP leaf named erobjectprofilename=< profile name>,ou=serviceProfile,ou=tim,ou=XXX,dc=XXX

    I hope it help.
    Slightly different tack you could set the Reconciliations not to check policy. This way the accounts will reconcile much faster (but policy will not be checked).