{"id":76,"date":"2007-09-10T10:39:40","date_gmt":"2007-09-10T10:39:40","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=76"},"modified":"2023-01-16T09:11:10","modified_gmt":"2023-01-16T09:11:10","slug":"disappearance-from-the-cs-should-not-be-a-justification-for-object-deletion","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/disappearance-from-the-cs-should-not-be-a-justification-for-object-deletion","title":{"rendered":"Disappearance from the CS should not be a justification for object deletion!"},"content":{"rendered":"

I’ve found myself repeating this on MMSUG<\/a>\u00a0a couple of times recently, so a post is probably in order. Don’t go deleting everything just because a CS object disappears!<\/p>\n

There’s a dangerous little form in the Metaverse Design section of Identity Manager which allows you to set your Object Deletion Rule. By the simple expedient of clicking a radio button you can delete Metaverse objects just because the object (ie “connector”) disappeared from a nominated Connector Space.<\/p>\n

\"\"<\/p>\n

If you’ve also set your Management Agents to delete based on disappearance of the MV object, this deletion will then be replicated in all your connected directories.<\/p>\n

\"\"<\/p>\n

So why am I so worried about this? Let’s say, for example, that you are supplied with a daily text file from HR listing all current users. If a user is no longer on the list then what’s the problem with removing all their accounts?<\/p>\n

Take it from me (who accidentally disabled hundreds of user accounts using such a system) you need something more concrete when you’re going to start taking things away from people!<\/p>\n

The fact of the matter is, glitches occur. That text file generation could have been interrupted part-way through. Even if you’re going closer to the source, eg straight from a SQL table, you can run into problems with SQL replication and DTS packages. And lets not forget the sheer scope posed by human error! I’m also wondering if an incomplete Import step into MIIS could lead to CS objects temporarily going missing … I think not, but in Good Design we don’t take the chance.<\/p>\n

My proposal is that you figure out a way to get an extra Status<\/strong> field into your input data. This field should be used for tags such as “Active” and “Inactive”, as well as any other special-purpose flags you may see fit to introduce.<\/p>\n

Here’s what you need to do:<\/p>\n

1. Change that Metaverse Deletion Rule. You may need to write extension code (the third option), but I’ve only ever used the first option:<\/p>\n

\"\"<\/p>\n

2. It should be fine to leave the MA Deprovisioning rules set as shown above as you won’t be deleting the Meteverse object until all CS objects are gone.<\/p>\n

3. Create a Metaverse attribute and import flow rule for the Status field, so that it is flowed in along with other object data.<\/p>\n

4. You can now do a simple test, in your MVExtension code, before you proceed to anything destructive:<\/p>\n

If mventry(“Status”).Value = “Inactive” Then
\n\u00a0account disable\/delete instructions<\/em>
\nEnd If<\/p><\/blockquote>\n

5. If you wanted to, you could now use the disappearance theory as a way to clear out objects later on – just check first that a previous import has set the expected Status:<\/p>\n

If csobject Is Nothing\u00c2\u00a0AndAlso mventry(“Status”).Value = “Inactive” Then
\n\u00a0connector deletions<\/em>
\nEnd If<\/p><\/blockquote>\n

So, using this method, what happens if a few objects do go missing (accidentally or otherwise) from your input data?<\/p>\n