New to the TIM/TAM world. We are creating a sandbox environment to test reconciliation between various systems (AD, e-mail, HR, UNIX, etc....). Is there an easy way to disable all of the provisioning policies at one time?
This topic has been locked.
3 replies Latest Post - 2013-02-14T12:48:39Z by SystemAdmin
Pinned topic ITIM 5.1 disable provisioning policies
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-14T12:48:39Z at 2013-02-14T12:48:39Z by SystemAdmin
Re: ITIM 5.1 disable provisioning policies2013-02-07T17:43:18Z in response to SystemAdminNot officially - but you can make do an ldapsearch and pipe that into an ldapmodify to change the status to disabled.
You can do this in a supported way using the APIs - but the result is the same for now - if you are concerned with this - stick to the APIs.
But you have to make yourself clear what you are trying to do - disabling ALL policies will make all accounts disallowed - what you should rather run with policy evaluation on and services set to Mark - this way you will be able to see what policy violation there are by searching for non-compliant accounts.
My advice - use some time to play with a service and some policies (using both reconciliation and preview in the policy) to find out how things works.
Re: ITIM 5.1 disable provisioning policies2013-02-08T08:16:55Z in response to SystemAdminTotally agree with Franz.
The quick answer. Make a ldapmodify to set the erenabled attribute equal to false on the Provisioning Policies. Since, it is not a procedure tested by me, please make some trials. Nevertheless, as Franz said, take into consideration it is not a official procedure.
If you aim to avoid the policies evaluations trigger requests on the managed systems, there are different ways such as:
- set the Policy Enforcement Action on the Services definition to Mark Non-complaint. Be aware, it doesn't avoid new accounts would be created, as there is no an initial account it is not take into consideration as a policy violation.
- define a new value equal to com.ibm.itim.remoteservices.ResourceProperties.IS_LOCAL=TRUE for the erproperties attribute on the services definitions. It avoids requests go to the adapters. The bad news: again it should be done by means of ldapcomand/ldapbrowser. You can find the service definition on LDAP leaf named erobjectprofilename=< profile name>,ou=serviceProfile,ou=tim,ou=XXX,dc=XXX
I hope it help.