How to remove values in eTADSPayload (Extended Attributes)

book

Article ID: 15835

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

In a termination/offboarding use case, Active Directory accounts must be closed off but not deleted for future rehire. One of the actions in the process is to remove values of the extended attributes in payload.

An existing AD account contains those above values:

<Please see attached file for image>

pic1.PNG

 

The eTADSPayload would look like this in Provisioning Directory:

msExchPoliciesExcluded:01:0038={26491CFC-9E50-4857-861B-0CB8DF22B5D7};msExchRemoteRecipientType:01:0001=1;msExchUsageLocation:01:0002=AU;



How to remove those values?

Environment

IM R12.6 SPx, 14.x . Information in this techdoc is tested on R12.6 SP2, 14.1, 14.2.

Resolution

Those attributes cannot be removed but can be reset to a blank value using Policy Xpress (PX). Here is the story:

1. Create a PX that is triggered in a certain condition. In this techdoc, disabling a corporate user will fire the PX to re-set their account's payload

Select an appropriate event to trigger the PX, for example:

<Please see attached file for image>

pic2.PNG

 

Create relevant data elements to use in Action Rules, for example:

<Please see attached file for image>

pic3.PNG

Set appropriate conditions to invoke action rules, for example, userID contains "test" string and has disable status (=1).

 

<Please see attached file for image>

pic6.PNG

 

Add an Action Rule to reset the payload with blank values:

msExchPoliciesExcluded:01:0000=;msExchRemoteRecipientType:01:0000=;msExchUsageLocation:01:0000=; 

On 14.x the format has changed, you should use the following format instead:

{"name":"msExchPoliciesExcluded","value":""}^{"name":"msExchRemoteRecipientType","value":""}^{"name":"msExchUsageLocation","value":""}

Put the above data in the Value field of the payload:

 

<Please see attached file for image>

pic5.PNG

Save the PX.

2. Run a task to trigger the condition for the PX to fire. Verify that the attributes msExchPoliciesExcluded, msExchRemoteRecipientType, and msExchUsageLocation are set to <not set> in AD.

Additional Information

There is a known bug on 14.x, which is recorded in DE401939, where all extended attributes in schema.ext are deleted with above-mentioned configured PX policy. At the time this article is written, this bug hasn't been listed in Release Notes document (https://docops.ca.com/ca-identity-manager/14-2/EN/release-information/release-notes-14-2-cumulative-patches). You may raise Support Call Ticket to get the fix.

Attachments

1558689446666000015835_sktwi1f5rjvs16fxy.png get_app
1558689444923000015835_sktwi1f5rjvs16fxx.png get_app
1558689443179000015835_sktwi1f5rjvs16fxw.png get_app
1558689441329000015835_sktwi1f5rjvs16fxv.png get_app
1558689438353000015835_sktwi1f5rjvs16fxu.png get_app