Archiving Home Directories

One of the things I love about MIIS is that it can be put to work on any object type you care to name, as long as you can cobble together some sort of automation process.

One such example is a home directory. While needed by the user, it is not part of the user account – it is a seperate object. It’s life cycle, while linked to that of the user, may follow a different path. You may be happy to delete a user object, knowing it can be recreated with the same groups and rights – but you can’t be so cavalier with data. Business requirements may have the home directory archived, or moved, or re-permissioned to another user. But as long as you can specify these rules, and write some code around them, there’s no reason why MIIS can’t manage your user data as effortlessly as your user accounts.

I have already posted about an extensible MA for user home directory creation. I extended this code to make it zip up the home directory after account deletion. For that I needed a VB.NET compatable archiving library. I used Zbitz – but there’s plenty to choose from out there.

Set a Flag

The first step is to set a flag in the MVExtension code when I’ve figured out some sort of action needs to be taken.

In my system I take a two-step process to getting rid of a user. Initially the user account is disabled and a datestamp written into the Description field. At the same time the home directory is zipped to an archive location, though not yet removed. This makes it very easy to restore the account if a mistake was made.

After 90 days, if the account is still disabled, it is deleted along with the home directory.

In the following code snippet, csHomeDir is the CS object representing the home directory. The value numDaysDisabled has been calculated from the datestamp in the user’s Description field.

If Not csHomeDir(“Status”).Value.ToLower = “archived” Then
    Utils.TransactionProperties(“archiveHomedir”) = True
ElseIf csHomeDir(“Status”).Value.ToLower = “archived” AndAlso numDaysDisabled > 90 Then
    csHomeDir.Deprovision()
End If

Set the Status

The next thing I need to do is set the Status on the home directory object (as described in this post). This can only be done as a export flow rule, so is a job for the MAExtension code.

Case “exportStatus”
    If Utils.TransactionProperties(“archiveHomedir”) = True AndAlso csentry(“Status”).Value = “active” Then
        csentry(“Status”).Value = “archive pending”
    End If

Archive the Directory

Creating the archive is a job for the CSExtension code. I run the archive and then, if successful, I change the Status to “archived”. If the archive was unsuccessful I don’t make any changes in the SQL table – the Status remains “active” and the whole process will be attempted again.

If csentry(“Status”).Value = “archive pending” Then
    If ArchiveHomeDir(path) = 0 Then
        updateRow(path, csentry(“stringDN”).Value, csentry(“Server”).Value.ToUpper, csentry(“Volume”).Value.ToUpper, csentry(“Folder”).Value.ToLower, “archived”)
    End If
End If

Some Other Comments

The great thing about this method is that it is very robust. Because the Status field is not changed until the directory has been successfully archived, MIIS will just keep retrying it. If there are a lot of archives, and it’s holding up other jobs, you can just stop the Export. The next time round MIIS picks up from where it left off.

One slight problem is that I change the Status as part of the Export, and this is a bit of a cheat from an MIIS perspective. Because I’ve exported “archive pending” but then imported either “archived” or “active” I always get the “Exported change was not reimported” warning. But it’s just a warning, and I was always happy to live with it. Perhaps I’ll do some further refining at a later date.

About: Carol

I've been doing IT for 30 years, and IdM for 15. I live in Australia and build IdM solutions based on Microsoft Identity Manager. I also play the violin, but that doesn't help much with the IdM solutions.