IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 8 replies
  • Latest Post - ‏2018-09-18T09:59:25Z by ZPrathM
ZPrathM
ZPrathM
16 Posts

Pinned topic EnforcePolicyForPerson behaviour Difference

‏2018-05-29T11:03:00Z | isim6.0

Hi Team,

We have role based provisioning to one of target.when role gets added users account gets created on ISIM and target.When role is removed users account gets Deleted from both ISIM and Target.

We have same provisioning policy ,enforcement and everything same moved in other env but we see difference when role is removed the account is still present in ISIM as well on Target.

When we check the View Request we see that EnforcePolicyforPerson extension is not able to call the Delete Account Workflow.we do not see call to Delete Account Workflow.

Any pointers on what could be possible reasons why we are seeing different behavior on different environments?

 

Thanks , 

Prathmesh

 

Updated on 2018-05-29T11:04:48Z at 2018-05-29T11:04:48Z by ZPrathM
  • franzw
    franzw
    519 Posts
    ACCEPTED ANSWER

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-05-29T11:14:12Z  

    This sounds like there is a policy allowing the account to exist - this can be a default policy created during service creation.

    You may need to go into the ldap to find all policies if you cannot find through the Admin Console.

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    519 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-05-29T11:14:12Z  

    This sounds like there is a policy allowing the account to exist - this can be a default policy created during service creation.

    You may need to go into the ldap to find all policies if you cannot find through the Admin Console.

    HTH

    Regards

    Franz Wolfhagen

  • yn2000
    yn2000
    1133 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-05-29T14:23:50Z  
    • franzw
    • ‏2018-05-29T11:14:12Z

    This sounds like there is a policy allowing the account to exist - this can be a default policy created during service creation.

    You may need to go into the ldap to find all policies if you cannot find through the Admin Console.

    HTH

    Regards

    Franz Wolfhagen

    Well, these are two contradict statements. Prath said: "We have same provisioning policy ,enforcement and everything same..." Franz said: "...there is a policy allowing the account to exist...", which suggest that they (the Policies are not the same). So, let's take this approach. Manage Users >> {user} >> Accounts >> Refresh. If the account is existed without marking, then Franz is right, meaning that there is other policy allowing the account to exist. If the account is existed with 'not allowed' marking, then it could be Enforcement setting that is not the same. If Prath saying is correct, where everything is the same but two environments behave differently, then the answer is to open an IBM PMR to go deeper into the other configuration differences. 

    :-) Rgds.  YN.

  • franzw
    franzw
    519 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-05-29T16:23:59Z  
    • yn2000
    • ‏2018-05-29T14:23:50Z

    Well, these are two contradict statements. Prath said: "We have same provisioning policy ,enforcement and everything same..." Franz said: "...there is a policy allowing the account to exist...", which suggest that they (the Policies are not the same). So, let's take this approach. Manage Users >> {user} >> Accounts >> Refresh. If the account is existed without marking, then Franz is right, meaning that there is other policy allowing the account to exist. If the account is existed with 'not allowed' marking, then it could be Enforcement setting that is not the same. If Prath saying is correct, where everything is the same but two environments behave differently, then the answer is to open an IBM PMR to go deeper into the other configuration differences. 

    :-) Rgds.  YN.

    You are right - I should have pointed that out - I jumper to conclusions :-)

    But I also expect that professionals posting here are only looking for advice if they also are willing to investigate effort, learn and share their experience with the community here. I know that may be faint hope - but nevertheless my presence here is depending on having this hope with the future generations of  people here :-)

    So - let's wait to hear what Pratmesh finds out..

    Regards

    Franz Wolfhagen

  • ZPrathM
    ZPrathM
    16 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-06-01T14:31:08Z  
    • franzw
    • ‏2018-05-29T16:23:59Z

    You are right - I should have pointed that out - I jumper to conclusions :-)

    But I also expect that professionals posting here are only looking for advice if they also are willing to investigate effort, learn and share their experience with the community here. I know that may be faint hope - but nevertheless my presence here is depending on having this hope with the future generations of  people here :-)

    So - let's wait to hear what Pratmesh finds out..

    Regards

    Franz Wolfhagen

    Hi Franz & YN,

    PFB Finding

    Manage Users >> {user} >> Accounts >> Refresh. If the account is existed without marking, then Franz is right, meaning that there is other policy allowing the account to exist : ->

    Yes I do see this behavior which means that there is a policy allowing the account to exist but I do not see this Provisioning Policy from Admin Console and need to check it in LDAP .I will check this out and let you know what I get out from it.

    Franz and YN : Thank you so much for your inputs/suggestions. Your Thought process is helping me move forward with the investigation .Thank you for being in this community and helping People with your Expertise :-)

     

    Thanks & Regards,

    Prathmesh.

     

     

     

     

  • ZPrathM
    ZPrathM
    16 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-06-05T11:06:05Z  
    • ZPrathM
    • ‏2018-06-01T14:31:08Z

    Hi Franz & YN,

    PFB Finding

    Manage Users >> {user} >> Accounts >> Refresh. If the account is existed without marking, then Franz is right, meaning that there is other policy allowing the account to exist : ->

    Yes I do see this behavior which means that there is a policy allowing the account to exist but I do not see this Provisioning Policy from Admin Console and need to check it in LDAP .I will check this out and let you know what I get out from it.

    Franz and YN : Thank you so much for your inputs/suggestions. Your Thought process is helping me move forward with the investigation .Thank you for being in this community and helping People with your Expertise :-)

     

    Thanks & Regards,

    Prathmesh.

     

     

     

     

    Hi Franz / YN

    Is there any way we can check by using some command in LDAP the provisioning policies associated with any target ?

    I tried checking it from LDAP Browser under ou=policies but its not giving me sufficient information to check for target .

     

     

  • GirishKR
    GirishKR
    16 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-06-05T18:35:04Z  
    • ZPrathM
    • ‏2018-06-05T11:06:05Z

    Hi Franz / YN

    Is there any way we can check by using some command in LDAP the provisioning policies associated with any target ?

    I tried checking it from LDAP Browser under ou=policies but its not giving me sufficient information to check for target .

     

     

    you may try

     

    searching LDAP browser with filter under ou=policies

    filter should be

    (|(erpolicytarget=*<erglobalid of service dn for which the account is provisioned now>)(erreqpolicytarget=*<erglobalid of service dn for which the account is provisioned now>))

     

    You can have erpolicyitemname attribute show in the LDAP result. Thus you can narrow down the policy which you are looking for.

     

    Also, have a look at the operational workflows(add, modify and delete), it might be customized and hence not triggering delete account extension. 

     

    Some policies might have also been tied to service type rather than services itself(I don't recommend this design, though), but you can have a look at these as well.

  • yn2000
    yn2000
    1133 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-06-05T20:57:45Z  
    • GirishKR
    • ‏2018-06-05T18:35:04Z

    you may try

     

    searching LDAP browser with filter under ou=policies

    filter should be

    (|(erpolicytarget=*<erglobalid of service dn for which the account is provisioned now>)(erreqpolicytarget=*<erglobalid of service dn for which the account is provisioned now>))

     

    You can have erpolicyitemname attribute show in the LDAP result. Thus you can narrow down the policy which you are looking for.

     

    Also, have a look at the operational workflows(add, modify and delete), it might be customized and hence not triggering delete account extension. 

     

    Some policies might have also been tied to service type rather than services itself(I don't recommend this design, though), but you can have a look at these as well.

    Girish reminded me: "...Some policies might have also been tied to service type rather than services itself..."

    So, I am started to wonder this statement: "...I do not see this Provisioning Policy from Admin Console..." Maybe it is there, but it is part of other policies, because it does not make sense for Admin Console to 'hide' any policy.

    Then, I am started to wonder this statement: "..We have same provisioning policy ,enforcement and everything same.." Probably it meant that everything is the same for a specific Prov. Pol., neglecting to mention that there are other Policies that could be different. So, probably it is a good idea to start opening IBM PMR to get the second eyes looking at the Policy design.

    Rgds. YN.

     

  • ZPrathM
    ZPrathM
    16 Posts

    Re: EnforcePolicyForPerson behaviour Difference

    ‏2018-09-18T09:59:25Z  
    • yn2000
    • ‏2018-06-05T20:57:45Z

    Girish reminded me: "...Some policies might have also been tied to service type rather than services itself..."

    So, I am started to wonder this statement: "...I do not see this Provisioning Policy from Admin Console..." Maybe it is there, but it is part of other policies, because it does not make sense for Admin Console to 'hide' any policy.

    Then, I am started to wonder this statement: "..We have same provisioning policy ,enforcement and everything same.." Probably it meant that everything is the same for a specific Prov. Pol., neglecting to mention that there are other Policies that could be different. So, probably it is a good idea to start opening IBM PMR to get the second eyes looking at the Policy design.

    Rgds. YN.

     

    There was extra provisioning policy in this env which was not allowing this to happen.That was wrongly configured .Once removed it started working.