Condividi tramite


Deprovisioning Rules

With deprovisioning rules, you can manage, or clean up, connector space objects after they have been disconnected from a metaverse object under certain circumstances. In some cases you might want to remove the connector space object permanently. In other cases you might want to keep the connector space object in a disconnected state, and have it available to link to a metaverse object at a later time.

When deprovisioning rules are called

Deprovisioning rules are called in the following circumstances:

  • The metaverse object is deleted. For example, if an object in connector space A is disconnected from the metaverse, and the object deletion rule causes the metaverse object to be deleted, the deprovisioning rules for management agent A will be called.

  • Provisioning rules disconnect the connector space object from the metaverse object that it is linked to. For example, you might have your provisioning rules configured to provision user objects from connector space A to connector space B, and you might also have your provisioning rules configured such that if the attribute EmployeeStatus is set to a certain value on an object in connector space B, then that connector space object will be disconnected. If a subsequent delta import to connector space A causes the attribute EmployeeStatus to be set to the specified value, the object in connector space B will be disconnected, and the deprovisioning rules for management agent B will be called.

When deprovisioning rules are not called

Deprovisioning rules are not called in the following circumstances:

  • The connector space object is manually disconnected from the metaverse object. For example, you can use Metaverse Search to locate a metaverse object and view its properties, and to disconnect the object in a specified connector space, or management agent. In this case, deprovisioning rules for the specified connector space, or management agent, will not be called.

  • The connector space object is disconnected due to a connector filter rule. For example, during an import process an attribute is modified which satisfies the connector filter rule, which disconnects the connector space object from the metaverse object. In this case, deprovisioning rules for the specified connector space, or management agent, will not be called.

  • The management agent is deleted. When a management agent is deleted, all connector space objects are removed during the deletion process. In this case, deprovisioning rules for the management agent will not be called.

Warning

Deleting a connector space object through deprovisioning might cause other management agent rules or metaverse rules to be called, which could result in deprovisioning rules being called for another management agent. Review your management agent rules and metaverse rules to understand the impact of their dependencies when creating deprovisioning rules.

Configuration options for deprovisioning rules

Deprovisioning rules are configured when you create or modify a management agent by using Management Agent Designer. The options for deprovisioning rules are listed in the following table.

Action Result

Make them disconnectors

The disconnector object is subject to join and projection rules the next time you run the management agent. This is the default behavior.

Make them explicit disconnectors

The explicit disconnector object is not subject to the management agent's join and projection rules on subsequent runs. If you want to link this object to a metaverse object again, you must use Joiner.

Stage a delete on the object for the next export run

The object becomes an explicit disconnector and a delete operation will be staged for export to the connected data source. At the next export, the object will be deleted from the connected data source, and then the connector space object will be deleted during the next import. The metaverse object that the connector space object was linked to might now be subject to object deletion rules. For more information about object deletion rules, see Object Deletion Rules.

Determine with a rules extension

With this option, you can evaluate the connector space object before selecting an action to perform. After evaluating the object, you can make it a disconnector object, stage it for deletion, rename the object to a deleted objects container, or modify the object's attributes (for example, you can set a user account to disabled). For more information, see Rules Extensions.

For example, you have management agents configured to provision objects from connected data source A to connected data source B. The deprovisioning rule for management agent A is set to Make them explicit disconnectors, while the deprovisioning rule for management agent B is set to Stage a delete on the object for the next export run. When an object in connector space A then becomes disconnected, provisioning rules are called and the connector space objects from both connector space A and connector space B are disconnected. Deprovisioning rules are then called, and the object in connector space A becomes an explicit disconnector, and the object in connector space B becomes a deletion, staged for export.

The following flow chart shows the sequence in which management agent rules are applied.

Management agent rules

Attribute recall

By default, when a connector space object is disconnected from a metaverse object, all of the attribute values that the connector space object contributed to the metaverse object are recalled from the metaverse object. If there are any Import Attribute Flow rules for these attributes configured on other management agents who have connector space objects linked to this metaverse object, these will be evaluated in order according to the attribute precedence settings to repopulate the metaverse with values for these attributes. The rules engine will process all of the connector space objects until the attributes are repopulated or the available connector space objects are exhausted.

When an attribute is configured for equal precedence, the rules engine will not repopulate the metaverse using objects linked to the metaverse object. In order to maintain the rules of equal precedence, the rules engine will allow subsequent synchronizations to populate the metaverse.

However, there are certain scenarios where you would need the attribute values to remain in the metaverse, even though the source for those attribute values has been disconnected. For example, you might import user accounts from one directory in order to populate another directory. After the initial migration, you delete the accounts from the source directory. By default, the objects in the source connector space are disconnected, and the attributes contributed by them are recalled from the linked metaverse objects. By selecting the option in the Management Agent Designer to not recall attributes upon disconnection, the objects can be safely disconnected in the source connector space without affecting the attribute values in the metaverse objects.

Note

Attribute recall does not affect the role of attribute flow precedence. Lower precedence data sources will continue to be prevented from replacing higher precedence values that are left by a disconnected or deleted connector space object, and higher precedence data sources can replace the values.