How to remove values in eTADSPayload (Extended Attributes)

Article Id: 15835
Status: Published
Updated On: 27-02-2019 14:38
Legacy Id: TEC1693178
Products:
CA Identity Manager , CA Identity Governance , CA Identity Portal , CA Risk Analytics , CA Secure Cloud SaaS - Arcot A-OK (WebFort) , CA Secure Cloud SaaS - Advanced Authentication , CA Secure Cloud SaaS - Identity Management , CA Secure Cloud SaaS - Single Sign On
Issue/Introduction:

In a termination/offboarding use case, Active Directory accounts must be closed off but not deleted for future rehire. One of the actions in the process is to remove values of the extended attributes in payload.

An existing AD account contains those above values:

<Please see attached file for image>

pic1.PNG

 

The eTADSPayload would look like this in Provisioning Directory:

msExchPoliciesExcluded:01:0038={26491CFC-9E50-4857-861B-0CB8DF22B5D7};msExchRemoteRecipientType:01:0001=1;msExchUsageLocation:01:0002=AU;



How to remove those values?

Environment:

IM R12.6 SPx, 14.x . Information in this techdoc is tested on R12.6 SP2, 14.1, 14.2.

Resolution:

Those attributes cannot be removed but can be reset to a blank value using Policy Xpress (PX). Here is the story:

1. Create a PX that is triggered in a certain condition. In this techdoc, disabling a corporate user will fire the PX to re-set their account's payload

Select an appropriate event to trigger the PX, for example:

<Please see attached file for image>

pic2.PNG

 

Create relevant data elements to use in Action Rules, for example:

<Please see attached file for image>

pic3.PNG

Set appropriate conditions to invoke action rules, for example, userID contains "test" string and has disable status (=1).

 

<Please see attached file for image>

pic6.PNG

 

Add an Action Rule to reset the payload with blank values:

msExchPoliciesExcluded:01:0000=;msExchRemoteRecipientType:01:0000=;msExchUsageLocation:01:0000=; 

On 14.x the format has changed, you should use the following format instead:

{"name":"msExchPoliciesExcluded","value":""}^{"name":"msExchRemoteRecipientType","value":""}^{"name":"msExchUsageLocation","value":""}

Put the above data in the Value field of the payload:

 

<Please see attached file for image>

pic5.PNG

Save the PX.

2. Run a task to trigger the condition for the PX to fire. Verify that the attributes msExchPoliciesExcluded, msExchRemoteRecipientType, and msExchUsageLocation are set to <not set> in AD.

Additional Information:

There is a known bug on 14.x, which is recorded in DE401939, where all extended attributes in schema.ext are deleted with above-mentioned configured PX policy. At the time this article is written, this bug hasn't been listed in Release Notes document (https://docops.ca.com/ca-identity-manager/14-2/EN/release-information/release-notes-14-2-cumulative-patches). You may raise Support Call Ticket to get the fix.

insert_drive_file 1558689446666000015835_sktwi1f5rjvs16fxy.png
arrow_downward Download
insert_drive_file 1558689444923000015835_sktwi1f5rjvs16fxx.png
arrow_downward Download
insert_drive_file 1558689443179000015835_sktwi1f5rjvs16fxw.png
arrow_downward Download
insert_drive_file 1558689441329000015835_sktwi1f5rjvs16fxv.png
arrow_downward Download
insert_drive_file 1558689438353000015835_sktwi1f5rjvs16fxu.png
arrow_downward Download