Topic
  • 8 replies
  • Latest Post - ‏2013-02-21T09:08:17Z by SystemAdmin
bobby99
bobby99
95 Posts

Pinned topic Update AD Account from Lotus Notes ADD Workflow

‏2013-02-20T17:30:53Z |
Im looking to update the Active Directory account Email address when I create a new Lotus Notes account within ITIM 5.1. The AD account will always be there first as it is the Identity Policy to create the users. Then the Lotus Notes account is creeated manaually. During the Add Workflow under Lotus Notes, I am looking to update the email address attribute in the AD Account. How would I go about updating the AD account from within the Lotus Notes Add Workflow?
Updated on 2013-02-21T09:08:17Z at 2013-02-21T09:08:17Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-20T18:27:30Z  
    Although it is an old presentation here you can find an example for update an account attribute calling from another workflow.

    There is no doubt it would be easy to you to get your goal using this example.

    PS: I really believe there is a more recently document regarding to set a notification process by TIM, where this issue is managed, nevertheless I am not able to find it.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-20T18:30:11Z  
    What you need is a provisioning policy to populate the AD email address based upon the entry in the Person record.

    You then need to amend the Operations workflow for your Lotus Notes account entity so that it has 2 extensions a Person Modify to update the email address linking to an enforcePolicyForPerson node. This assumes that you have set Policy enforcement on the provisioning policy to "Mandatory" and the Service Enforcement is set to "Correct".

    That is how I would do it.

    Best regards
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-20T19:11:23Z  
    What you need is a provisioning policy to populate the AD email address based upon the entry in the Person record.

    You then need to amend the Operations workflow for your Lotus Notes account entity so that it has 2 extensions a Person Modify to update the email address linking to an enforcePolicyForPerson node. This assumes that you have set Policy enforcement on the provisioning policy to "Mandatory" and the Service Enforcement is set to "Correct".

    That is how I would do it.

    Best regards
    This is also they way I would recommend it done.

    One thing to be aware of is that it only works when complince enforcement of the service is set to "correct".

    Also there is a golden rule that should never be challenged : never change attribute values for attributes also managed in provisioning policies - this will fail when switching to correct...

    So it is not that easy...

    Regards
    Franz Wolfhagen
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-20T19:15:12Z  
    This is also they way I would recommend it done.

    One thing to be aware of is that it only works when complince enforcement of the service is set to "correct".

    Also there is a golden rule that should never be challenged : never change attribute values for attributes also managed in provisioning policies - this will fail when switching to correct...

    So it is not that easy...

    Regards
    Franz Wolfhagen
    Oh - I forgot one thing - you should use service dependency on the service form specifying AD as a prerequisite to Notes - then you are guaranteed that AD accounts will always exist before Notes...

    Again - this is easier said than done - there are some back draws - you will not be able to create Notes accounts without the AD account (normally not a problem) - worse is that the way "ordered provisioning" works means that a failure on one account creation will stop the whole account create flow...

    Regards
    Franz Wolfhagen
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-21T07:21:08Z  
    Oh - I forgot one thing - you should use service dependency on the service form specifying AD as a prerequisite to Notes - then you are guaranteed that AD accounts will always exist before Notes...

    Again - this is easier said than done - there are some back draws - you will not be able to create Notes accounts without the AD account (normally not a problem) - worse is that the way "ordered provisioning" works means that a failure on one account creation will stop the whole account create flow...

    Regards
    Franz Wolfhagen
    From bobby99's description there is no need for a service dependency . The ad account will exist first and will be updated with an email address when the notes account is added manually later.

    Best regards,
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-21T07:48:42Z  
    From bobby99's description there is no need for a service dependency . The ad account will exist first and will be updated with an email address when the notes account is added manually later.

    Best regards,
    I think you taking that a little too much for granted....

    There is a lot of things you will do on Notes (e.g. ID file handling) that will link into fileshares etc.

    If you run an automated (RBAC) ITIM implementation the service dependency will guarantee that the AD account creation (more accurately - the add operation) is done before it starts the Notes account add operation.

    This may seem contrary to the KISS principle - but if you go into the details it really isn't - if you have to put code into your operations to perform these checks you operations will soon be overly complex and difficult to maintain i.e driving down the TCO.

    As I sais - this is not something you get for free - but on the other hand the attribute handling in operations is something that should be avoided if it possible to do in policies.

    Also I get a little worried when people start messing up terms (i.e. the Identity policy has no impact on these things....) - that is why I try to give these advices...

    Regards
    Franz Wolfhagen
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-21T08:54:19Z  
    I think you taking that a little too much for granted....

    There is a lot of things you will do on Notes (e.g. ID file handling) that will link into fileshares etc.

    If you run an automated (RBAC) ITIM implementation the service dependency will guarantee that the AD account creation (more accurately - the add operation) is done before it starts the Notes account add operation.

    This may seem contrary to the KISS principle - but if you go into the details it really isn't - if you have to put code into your operations to perform these checks you operations will soon be overly complex and difficult to maintain i.e driving down the TCO.

    As I sais - this is not something you get for free - but on the other hand the attribute handling in operations is something that should be avoided if it possible to do in policies.

    Also I get a little worried when people start messing up terms (i.e. the Identity policy has no impact on these things....) - that is why I try to give these advices...

    Regards
    Franz Wolfhagen
    LOL, I am only capable of answering the questions that have been asked.

    Perhaps that is a failing or an asset?

    Best regards,
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Update AD Account from Lotus Notes ADD Workflow

    ‏2013-02-21T09:08:17Z  
    LOL, I am only capable of answering the questions that have been asked.

    Perhaps that is a failing or an asset?

    Best regards,
    Well - questions are normally just symptoms of underlying requirements - so answering questions is not just that....

    My job is often to uncover missing information/hidden agendas that will be a risk in an implementation project - that is why - in my world - a question is not just that :-)

    But that is my opinion - and may not be applicable to the whole world...

    Regards
    Franz Wolfhagen