So while they rename I’m staying historical. And besides, I don’t just post about FIM.

I just posted this article in the Greatest Hits series of the ILM Technet forum. It describes some of the methods and considerations around disabling and deleting users accounts with ILM.

In Identity Management, deprovisioning is every bit as important as provisioning – in fact the security guys would say it is more important.

End-of-life management may have been one of the determining factors that got the IdM project started in the first place – while most
organizations have a variety of scripts and processes they use to create accounts and assign permissions, the cleanup when a person leaves is often not handled so well.

General rules for object deletion have been already well covered in Markus’ article
Understanding Deletions in ILM; however there is more that can be said on the subject of user accounts, for which an immediate delete is often not appropriate.

This article shows how you can use ILM to configure a flexible deprovisioning solution that is customized to your technical, organizational and compliance needs.

Account Deprovisioning Scenarios in this document

We are going to look at the following types of account deprovisioning:

1. Simple deletion
2. Disabling the account
3. Deleting the account on a time-delayed basis
4. Stopping ILM from managing the account without actually deleting it (disconnection)

Parts to the Account Deprovisioning Puzzle

Depending on your needs, you will most likely have to piece together a number of different elements to achieve the desired result.

Account Disabling:

Deactivating an object normally involves changing one or more of its attributes (eg.: setting userAccountControl on an AD user), and the usual way to do this is with an export attribute flow (EAF).

See code example “Disabling Flow Rules” below.

Moving deactivated accounts:

• A common practice is to put disabled accounts in a particular place, such as a “Disabled” OU.For AD this is a “Rename” activity, and is typically done in the metaverse
  extension code.
• For the “Stop management” scenario it is also possible to move the account just prior to disconnecting it in the MA Extension Deprovision method.

See code example “Metaverse Deprovisioning” below.
 

Deleting the connector space (CS) object:

• The first step to deleting an account is to delete the object that represents it in the connector space.This can happen in one of the following two ways:
  • The joined Metaverse object is deleted
  • The joined Metaverse object was disconnected, either manually or by using the
    CSEntry.Deprovision() method in the
    metaverse extension code.
• In both cases a deletion will only happen if the “Configure Deprovisioning” tab on the MA configuration has been set as follows:
  • “Stage a delete on the object for the next export run”, or
  • “Determine with a rules extension” AND the rules extension code returns
    DeprovisionAction.Delete.

 
See code example “MA Deprovision Sub” below
 
See “Metaverse Deprovisioning” for an example of the CSEntry.Deprovision() method.
 

Deleting the account in the connected data source (CDS):

• To delete the actual object in the CDS, we must first delete the connector space object using the methods above, after which we should find an export of type “delete” ready in the connector space.It is then just a matter of running an Export.
  • Note that the account used by the MA must have permission to delete objects of this type in the CDS.
  • Note also that if the MA is of type “Extensible Connectivity” you must write a Delete method in the Connected Data Source extension (see example below).

 
See code example “XMA Delete Method” below.
 

Time dependant deletion:

• Sometimes you want to delete an object on a certain date – perhaps an expiration date, or 3 months after the account was disabled.To do this you need the date available on the Metaverse object, which means you have to flow it into the Metaverse from somewhere.
  • An example for AD accounts is to use a spare attribute on the account, such as info or one of the extensionAttributes, to write the date at the same time as you disable the account.Flow this value back into the Metaverse and the information will be available.

 
See code example “Metaverse Deprovisioning” below.
 

Deprovisioning Scenarios

Simple Deprovision based on disappearance

The simplest deprovisioning scenario, and the one that can be executed without writing any code, is the “disappearance” scenario.

Here an object (or database line, or text file line) disappears from a source MA and is imported as a delete.

In the Metaverse we have configured our Object Deletion Rule as “Delete Metaverse object when connector from this management agent is disconnected” and selected our source MA.

Finally we have configured our other MAs to delete the CS objects when the Metaverse object is deleted.

In this way we could, for example, delete an AD account because the person’s record disappeared from the HR data source.

Caution: This method may lead to unexpected loss of accounts, temper and job!

As a general rule, it is a bad idea to make destructive decisions based on an absence of information. All sorts of errors, both human and machine, could happen to cause data to be unavailable at the time an Import runs. If you do use this simple approach, only use it for low-priority objects that can be deleted and recreated without much impact.

Deprovision based on attribute change

It is a much better practice to make deprovisioning decisions based on positive data.

So, with the HR data source, we continue to import resigned people, but with a status flag that indicates they are now inactive.

We then write some code in the metaverse extension which reacts to the person’s “inactive” status.

The great advantage to this method is the flexibility it gives us.

For example, we may deal with the person’s connected objects in different ways, deleting contacts and application accounts immediately
but, just disabling the AD user account until further notice.

Deprovisioning a connector space object from metaverse extension code is trivial – all you have to do is add the line

CSEntry.Deprovision()

The bulk of the code before this will be spent in testing attribute values, and connections to different MAs, to determine when conditions are right to issue this command.

Disable then delete

It is simple enough to disable an account using an EAF (see example “Disabling Flow Rules” below).

You could also move the account to a special location (see example “Metaverse Deprovisioning” below).

However what do you do if you want to remove the account at some point in the future?

The first thing to be aware of is you must not delete the metaverse object.

To be able to delete the disabled account in the future it has to be connected to something in the
metaverse.

ILM can only manage connectors.

Next, you will need some kind of datestamp on the metaverse object so your
metaverse extension code will know when it’s OK to delete the account.

The only way to write a value to a metaverse object is with an IAF – so this implies writing the
datestamp outside ILM, on a CDS object, and then importing it back in.

The method in the code examples below works like this:

1. Based on the status attribute in the Metaverse, I export the userAccountControl to disable the AD user account,
2. Based on the same rules, I also export today’s date to the user’s info attribute,
3. II import info back to a metaverse attribute called disableDate,
4. I can then use disableDate in my metaverse extension to decide when the time is right to issue a CSEntry.Deprovision().

There are a couple of points to note about this method:

• While disables will happen on a delta sync, deletions will only happen on a
  full sync.
• The CDS attribute used to hold the date could be modified in the CDS (though you can use this to your advantage if you want to extend the disabled life of an account).

Stop Managing an Object

In some cases object deletion is handled in the CDS itself and all you need to do is to stop managing the object.

In ILM terminology the object becomes a “disconnector” and, while it may still exist in the MA’s connector space, it is no longer connected to a Metaverse object, and ILM can no longer impact it in any way.

To disconnect rather than delete you actually use exactly the same CSEntry.Deprovision() method, but with the correct option selected on your MA’s Configure Deprovisioning page.

You could choose to:

• “Make them disconnectors”. The object is disconnected but remains in the CS and CDS.It will be reassessed for possible joins at each Full Sync,
• “Make them explicit disconnectors”.Like the above, but it will not be reassessed for possible joins, or
• Decide with a Rule Extension (see example “MA Deprovision Sub” below).

The “explicit” option needs a bit more discussion.

If ever you delete and re-import the CS all “explicit” tags will be lost and the objects become regular disconnectors again, and available for joins.

This option should only be chosen in particular circumstances, such as when there is a regular and reliable deletion of redundant objects happening in the CDS.

If you are sure that you will not need to rejoin to an object once it has been disconnected then another idea is to export a blocking attribute before disconnecting.

For example you export the string “Unmanaged” to an attribute on the CDS object, and only disconnect it once the attribute value is confirmed.

You can then use this attribute in a Connection Filter to prevent future re-connections.

Some Common Problems and Questions

I staged some Deletes but I don’t want to export them now

Perhaps there was an error in your code or your import data and you have a bunch of Deletes waiting to go out – but you really don’t want to do that!

Even after correcting the code and re-syncing you may find they turn into Delete-Adds – these should also not be exported as the actual CDS objects will be deleted and recreated – not great for AD accounts!

Unfortunately, the only full-proof fix in this case is a delete and re-import of the connector space.

I have some old accounts with no HR reference – will ILM delete them?

ILM can only delete objects that it is connected to, so if it never connected to the object it can never delete it.

If you plan to tidy up unmanaged objects in your CDS then have a look at the tool csexport.exe (from the MIIS\bin folder) which can be used to export lists of disconnectors.

How can I block an Export if there are too many Disables?

The Export run profile contains an option to stop the job if there are more than a certain number of Deletes queued to go out.

Unfortunately it is not possible to do something similar for disables with native functionality.

If something like this is needed then it should be possible to increment a count in a file from the EAF which deactivates the account, and then modify the script which runs the Export profile to first check the count.

Sideways Joins

A scenario you need to watch out for is what I call a “sideways join”.

Take a situation where the “person” object type has one source MA (eg.: HR) and multiple target MAs (AD, Notes, some other applications).

The source object has been deleted, but one or more of the target objects have remained and are still joined to a
metaverse object.

The problem here is that these objects won’t show up in lists of disconnectors and so can remain, unobserved, for some time.

If deprovisioning logic is based on a value from the source MA then, in a default configuration, this value would have been recalled and is no longer present on the Metaverse object – so your code is probably just skipping it.

When writing your metaverse extension code, it is a good idea to test for unexpected situations – like an object with no connector in the primary source MA – and then throw an error or otherwise deal with the object.

I can see Deletes staged in the connector space, but the objects don’t get deleted in the external system

First, look for error messages in Identity Manager and in the Event Log that may indicate the problem.

Make sure the account used by the MA has the correct permissions in the CDS.

If it’s an “Extensible Connectivity” MA, check that a Delete method has been written in the Connected Data Source Extension.

I disabled an AD user – now how do I remove it from groups?

This is one with no short answer.

You cannot manage the memberOf attribute on AD users as it is a backlinked attribute.

So group membership can only be managed through the member attribute of groups.

This is fine if you are already managing AD groups with ILM – but not ok if they are managed manually in AD.

One of the reasons to keep an account in a disabled state for a while is to allow it to be restored quickly with all its previous rights intact – so removing it from groups may not be the best idea anyway.

If it is necessary then the choices are to fully take over group management with ILM, or to write a script that removes disabled users from groups, and is run outside of ILM.

Code Examples

MA Deprovision Sub

In this example, when the Metaverse object is deleted or disconnected, accounts in the “Student” OU are deleted while accounts in the “Staff” OU become disconnectors.

This sub is located in the Management Agent Extension code.

Public Function Deprovision(ByVal csentry As CSEntry) As DeprovisionAction Implements IMASynchronization.Deprovision
   If csentry.DN.ToString.Contains("OU=Students") Then
      Return DeprovisionAction.Delete
   ElseIf csentry.DN.ToString.Contains("OU=Staff") Then
      ' Optionally, rename the cs object or change attributes
      ' just prior to disconnecting
      Return DeprovisionAction.Disconnect
   Else
      Throw New UnexpectedDataException("DN does not contain " _
      & "'OU=Staff' or 'OU=Students' so I don't know " _
      & "which deprovision action to perform.")
   End If
End Function

Metaverse Deprovisioning

In this example we use the user’s status attribute in the Metaverse to decide if the account should be moved to a “Disabled” OU.

(The actual account disabling is done by an EAF and the disableDate and
userAccountControl are flowed back by IAFs – see below.)

We then use the disableDate attribute on the metaverse object to decide when to perform the final deletion.

This example subroutine has been called from Sub Provision which is located in the Metaverse Extension code.

Private Sub User_Provisioning(ByVal mventry As MVEntry)
   Dim ADMA As ConnectedMA = mventry.ConnectedMAs("MyDomain")
   Dim expectedDN As ReferenceValue
   Dim ShouldExist As Boolean
   Dim DoesExist As Boolean
   Const OU_USERS As String = "OU=Users,OU=MyOrg,DC=mydomain,DC=com"
   Const OU_DISABLED As String = "OU=Disabled,OU=Users,OU=MyOrg,DC=mydomain,DC=com"
   Const KEEP_DISABLED_DAYS As Integer = 90

   '' Should the account exist?
   '' Inactive accounts should exist for KEEP_DISABLED_DAYS after being disabled.
   If mventry("status").IsPresent AndAlso mventry("status").StringValue = "Active" Then
      ShouldExist = True
   Else
      ShouldExist = False

      If MVEntry("userAccountControl").IsPresent AndAlso _
         MVEntry("disableDate").IsPresent Then

         If (MVEntry("userAccountControl").IntegerValue And ADS_UF_ACCOUNTDISABLE) = _
             ADS_UF_ACCOUNTDISABLE Then

            'Account disabled – allow to exist until deletion date
            ShouldExist = True

            Dim disabledDate As DateTime
            disabledDate = Convert.ToDateTime(MVEntry("disableDate").StringValue)
            If Now.Subtract(disabledDate).Days > KEEP_DISABLED_DAYS Then
               ShouldExist = False
            End If
         Else
            'Account enabled
            ShouldExist = True
         End If
      End If
   End If
   '' Check if the AD account already exists
   Select Case ADMA.Connectors.Count
      Case 0
         DoesExist = False
      Case 1
         DoesExist = True
      Case Else
         Throw New UnexpectedDataException("Multiple connectors in MA " & ADMA.Name)
   End Select

   '' Generate the expected DN for the user - to use in renaming or moving
   Dim RDN As String = "CN=" & mventry("displayName").StringValue

   If mventry("status").StringValue = "Active" Then
      expectedDN = ADMA.EscapeDNComponent(RDN).Concat(OU_USERS)
   Else
      expectedDN = ADMA.EscapeDNComponent(RDN).Concat(OU_DISABLED)
   End If

   '' Take action based on values of ShouldExist and DoesExist

   If ShouldExist And DoesExist Then
      'Check if account should be renamed or moved
      Dim CSEntry As CSEntry = ADMA.Connectors.ByIndex(0)
      If CSEntry.DN.ToString.ToLower <> expectedDN.ToString.ToLower Then
         CSEntry.DN = expectedDN
      End If

   ElseIf ShouldExist And Not DoesExist Then
      'Provision Account
      <...>

   ElseIf Not ShouldExist And DoesExist Then
      'Deprovision Account
      CSEntry.Deprovision()

   End If
 End Sub

Disabling Flow Rules

With these flow rules I disable an AD account and also write a date onto the object (I’m using info but you can use any free attribute) to indicate when it was disabled.

I also flow userAccountControl and info back into the metaverse so I have access to the values in my
metaverse extension code (above).

Public Sub MapAttributesForExport(ByVal FlowRuleName As String, ByVal mventry As MVEntry, ByVal csentry As CSEntry) Implements IMASynchronization.MapAttributesForExport

   Const ADS_UF_NORMAL_ACCOUNT As Long = &H200
   Const ADS_UF_ACCOUNTDISABLE As Long = &H2

   Select Case FlowRuleName

      Case "export_userAccountControl"
         Dim currentValue As Long

         If csentry("userAccountControl").IsPresent Then
            currentValue = csentry("userAccountControl").IntegerValue
         Else
            currentValue = ADS_UF_NORMAL_ACCOUNT
         End If

         If mventry("status").IsPresent AndAlso mventry("status").Value = "Active" Then
            ' Enable account
            csentry("userAccountControl").IntegerValue = _
            (currentValue Or ADS_UF_NORMAL_ACCOUNT) And (Not ADS_UF_ACCOUNTDISABLE)

         Else
            ' Disable account
            csentry("userAccountControl").IntegerValue = _
            currentValue Or ADS_UF_ACCOUNTDISABLE
         End If

      Case "export_info"
         If mventry("status").IsPresent AndAlso mventry("status").Value = "Active" _
            AndAlso csentry("info").IsPresent Then
            csentry("info").Delete()
         ElseIf mventry("status").Value = "Inactive" AndAlso _
            Not csentry("info").IsPresent Then
            csentry("info").StringValue = Now.ToString
         End If

      End Select
End Sub

XMA Delete Method

For an MA of type “Extensible Connectivity” you need to write your own routines for the export types
Add, Modify and Delete.

This example shows the Delete step for an XMA which manages home folders for user accounts.

The sub is found in the Connected Data Source Extension.

This example is a very simple deletion of the folder, but you could easily add extra code to, for example, move the folder to an archive location.

(If you want to see an example of the Add method see my blog:
Creating Home Directories)

 Public Sub ExportEntry(ByVal modificationType As ModificationType, ByVal changedAttributes As String(), ByVal csentry As CSEntry) Implements IMAExtensibleCallExport.ExportEntry

If modificationType = Microsoft.MetadirectoryServices.ModificationType.Add Then
' Create the folder

ElseIf modificationType = _
Microsoft.MetadirectoryServices.ModificationType.Delete Then
System.IO.Directory.Delete(csentry("path").StringValue, True)
End If

End Sub

About the Author

Carol Wapshere has been working in IT since 1990, and has since worked in many different organizations, across four different countries. She started out in Netware then moved into Microsoft server products, picking up an assortment of skills in other non-Microsoft systems along the way. She first started working with MIIS in 2005 and loved how it could be used to tie together disparate systems, bringing in much-needed order, and making lots of tedious jobs just disappear.

Thanks to Markus Vilcinskas and Peter Geelen for their help with this document.

If anyone happens to notice any weird content or broken or inappropriate links I’d be much obliged for a heads-up.

Thanks,  Carol.

I only hope I can find myself some good ILM 2 projects in 2009. The last few months of 2008 was all about Exchange, and next week I’m off on a SCOM course. Still, I’ve always said I love working in IT because I’m always learning something new!

Wishing all my readers a happy 2009, filled with the things that are really important.

If you have questions don’t forget the MS ILM Forum which seems to be working really well, with Ahmad and Markus providing lots of great answers. Wish that had existed when I started out with MIIS!

As some readers will be aware, I started this blog during a period of voluntary unemployment as a way of documenting all the things I’d learnt about MIIS in the previous 2 years. Partly it was for a memory aid for when I did get back into work, and partly it was to keep me occupied while accompanying a family member on extended hospital visits (may he RIP).

At the end of August my family relocated to Geneva, Switzerland, and I faced the prospect of job-hunting in a french speaking town. La mission a accompli (don’t be too impressed – I had to look that up on babelfish) and I’m now working for an IT Services company, based in the Suisse Romande area. They all speak french in the office and I’m getting a crash language course around the coffee machine every morning!

I’ve been promised some juicy ILM projects for next year, but in the meantime it’s all been general Windows server stuff, and correcting my collegues’ english (which is way better than my french) as a good percentage of the documents produced for clients must be written in english, befitting the international nature of many of the organisations here in Geneva.

But on to the primary topic of this post. The great thing about being back in a services company is the exposure I get to a range of different devices and applications. Recently I attended a demonstration of Cyber-Ark‘s Enterprise Password Vault (EPV), and it’s brought the whole field of Priviledged Password Management into my view.

EPV addresses a problem familiar to sytem admins and security auditors the world around – what the heck to do about all those admin accounts, system accounts, accounts that start services, accounts that are hard-coded into scripts to give DB access, pin-codes that you use once in a blue moon, but when you do you need it now! Many of us will have used the password-protected spreadsheet, the envelope in a locked filing cabinet, the passwords that are easy to remember, that are the same on every system, that don’t get changed nearly as often as they should. We may have all thought “gee this really isn’t that secure”, but the amount of work involved in manually resetting the passwords, and restarting the services, and updating the config files…. boy you feel tired just thinking about it.

So what does EPV do to answer this problem? Firstly, a place to securely store your passwords, and control who can access them, in “The Vault”. And secondly, a mechanism to proactively change these passwords to complex random ones, which can only be retrieved by visting The Vault, where you can be sure your every movement is being comprehensively authorised and logged. They even have a mechanism to remove passwords from code and scripts, enabled by a little client service that also has to go through the process of correct retrieval from The Vault.

What a great idea! But this sort of solution will cost you, and (from my experiments so far in a virtual environment) it’s not particularly straight-foward to install or configure. This seems like a relatively new field at present, with only a small number of companies in play – my searches have revealed only Cloakware, Symark and e-DMZ in addition to Cyber-Ark, though there may be others I didn’t uncover. I couldn’t find anything comparable in the open source world, though a person could probably cobble something together from the random password generators and encrypted DBs that are available.

Now you may be wondering what on earth this has to do with ILM/MIIS, and the answer, of course, is nothing – it’s just an identity-related topic that I’ve recently had the chance to consider. I did think that it would be nice if such a system could somehow hook into the PCNS, or if password changes could even be driven through ILM – but its not going to happen without Microsoft giving us the ability to write Password Extensions – and there may well be good security arguments for keeping things the way they are.

 A correction to this post…

You can now write Password Extensions! I’ve just installed ILM 2007 for the first time, and it’s right there in the  Developers Reference. This is a very useful and much needed function as it now means we can sync passwords to any connected data source!

NetPro Mission Control

MIIS is sorely lacking in a good management interface, and NetPro have addressed this need with Mission Control. Some observations:

• It runs in a web GUI, so is easily accessible by whoever should need it.
  It has the abilty to produce Visio maps of data flows – something that would be extremely useful in documenting an installation that has been allowed to get into a mess.
• There is a strong focus on auditing and reporting, with the ability to compare run times of like operations over different time periods (and no, you don’t need to keep months of Run History to do this – it stores that data in its own tables).
• It tracks all the changes made to the metaverse schema, management agents, DLLs. I wasn’t sure how useful this would be unless you have multiple people changing the server and no change control – and if that’s the case you’re probably in a  lot more trouble than this can help with.
• It apparently has the ability to schedule run profiles along with pre- and post-processing tasks. Unfortunately I was not able to see this demo’d – a pity as it’s (to my mind) the most useful feature.

Mission Control is licensed on the number of MAs it is managing. You buy a server license for the product, and then packs of 10 MA licenses.

Omada Identity Manager

I had a rather rushed demo of this but I think I got the general gist.

Omada have focused on providing an interface for the management of users and groups, that can then tie in to MIIS. Their product runs on a seperate server with it’s own SQL database and web interface. Through web forms, administrators are able to create users and assign them to appropriate Roles. An MA provides the connection back to MIIS allowing users and group memberships to flow where needed.

I’m not really sure what effect ILM r2 will have on this product, as it essentially has the same structure. I suppose Omada will maintain their niche with their emphasis on a Role-based structure and their support for SAP, and besides, ILM r2 is still 12-18 months off.

If enterprise Roles is something you need to consider, and your organisation currently has no systematic way of assigning them, then Omada could be well worth a look.

Centrify DirectControl Suite

DirectControl allows you to greatly simplify your directory sprawl by allowing non-Microsoft servers and applications to use AD as an authentication authority. It does this by introducing new objects called Zones into AD – though somehow without extending the schema – I’m not sure how that works.

I made the point that I could already get Linux and Unix servers authenticating to AD by using the Services for Unix, but apparently that is only with seriously pathetic security, and besides SFU is to be discontinued (I had not heard that…)

They seem to have a good range of apps and systems that the product integrates with – not just from the Unix/Linux world, but also Oracle, SAP, Mac OS and others. In the Windows ITPro magazine thoughtfully left in my conference bag, DirectControl was compared with products from Quest and Centeris and it came out tops.

In case you’re wonderinig what this has to do with MIIS, Centrify do have an MA that allows the Zones to be managed through it. Unfortunately this was yet another demo that couldn’t be produced on the day, so I just have their word for it.

Some general MIIS tips:

Keep Provisioning Logic out of the Provisioning Code
Monitoring MIIS
Keep That Run History Under Control!
Replicating MIIS To Another Server
The Art of Scheduling
Metaverse Design and Attribute Names

Some posts relating to SQL MAs:

Who needs Group Populator when you have Multivalue tables?
How to make SQL Delta tables
Combining DTS with MIIS Imports

Exchange specific:

Adding Exchange Mailboxes to Existing Accounts
Archiving Exchange Mailboxes with Exmerge

And..

Creating an Extensible MA
A Stylesheet for the Import and Export Logs
Introducing MiisApp (or how to write your own MIIS client app)

There’s probably more I could list, but that shouldn’t be a bad starting point.

I plan to pick up this blog again later in the year when, all things going to plan, I’ll be once again employed again in the fascinating area of Identity Management. If you want to know when I’m back at it again why don’t you add me to your Technorati Favorites.

 Thanks for reading,

 Carol

For personal reasons, I am now on the point of a period of voluntary unemployment. I am going to be busy with travel and family commitments, but in between I hope to document my lessons learnt and my various thoughts about IdM and MIIS.