Topic
3 replies Latest Post - ‏2013-02-14T12:48:39Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts
ACCEPTED ANSWER

Pinned topic ITIM 5.1 disable provisioning policies

‏2013-02-07T16:37:48Z |
New to the TIM/TAM world. We are creating a sandbox environment to test reconciliation between various systems (AD, e-mail, HR, UNIX, etc....). Is there an easy way to disable all of the provisioning policies at one time?

Thanks
Chris
Updated on 2013-02-14T12:48:39Z at 2013-02-14T12:48:39Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    9855 Posts
    ACCEPTED ANSWER

    Re: ITIM 5.1 disable provisioning policies

    ‏2013-02-07T17:43:18Z  in response to SystemAdmin
    Not officially - but you can make do an ldapsearch and pipe that into an ldapmodify to change the status to disabled.

    You can do this in a supported way using the APIs - but the result is the same for now - if you are concerned with this - stick to the APIs.

    But you have to make yourself clear what you are trying to do - disabling ALL policies will make all accounts disallowed - what you should rather run with policy evaluation on and services set to Mark - this way you will be able to see what policy violation there are by searching for non-compliant accounts.

    My advice - use some time to play with a service and some policies (using both reconciliation and preview in the policy) to find out how things works.

    HTH

    Regards
    Franz Wolfhagen
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: ITIM 5.1 disable provisioning policies

      ‏2013-02-08T08:16:55Z  in response to SystemAdmin
      Totally agree with Franz.

      The quick answer. Make a ldapmodify to set the erenabled attribute equal to false on the Provisioning Policies. Since, it is not a procedure tested by me, please make some trials. Nevertheless, as Franz said, take into consideration it is not a official procedure.

      If you aim to avoid the policies evaluations trigger requests on the managed systems, there are different ways such as:
      • set the Policy Enforcement Action on the Services definition to Mark Non-complaint. Be aware, it doesn't avoid new accounts would be created, as there is no an initial account it is not take into consideration as a policy violation.
      • define a new value equal to com.ibm.itim.remoteservices.ResourceProperties.IS_LOCAL=TRUE for the erproperties attribute on the services definitions. It avoids requests go to the adapters. The bad news: again it should be done by means of ldapcomand/ldapbrowser. You can find the service definition on LDAP leaf named erobjectprofilename=< profile name>,ou=serviceProfile,ou=tim,ou=XXX,dc=XXX

      I hope it help.
      • SystemAdmin
        SystemAdmin
        9855 Posts
        ACCEPTED ANSWER

        Re: ITIM 5.1 disable provisioning policies

        ‏2013-02-14T12:48:39Z  in response to SystemAdmin
        Slightly different tack you could set the Reconciliations not to check policy. This way the accounts will reconcile much faster (but policy will not be checked).