We use FIM for our provisioning/deprovisioning process. Since ARS attribute 'edsvaDeprovisionType' will automatically clear as soon as a user is deprovisisonined (flips from 1 to null), FIM can't use the attribute to programmatically deprov a user since it does not import null values. So, we used our own VA that stays on a value (1 or 0) for the deprov status and that works great (see script below).
We have since upgraded ARS to a version that supports the undo deprovision and are in the same boat again. ARS uses the 'edsvaUnDeprovision' attribute to trigger an undo, however, it immedaitely goes to a null value upon completion, which will not work with FIM.
Sense it has been a while since we've had this in place, I'm a little rusty, as well as, the new version (6.8) may have a better way to script it than we do today. Anyone have any ideas on modifying the script below to now incorporate an "UNDO" deprov process that FIM can use (and if needed, clean up the current script for deprov)? Also, I'm fine with suggestions on flipping it to using PowerShell instead as well.
Option Explicit
Dim strAMPM
' ================================================================================
' Script: Deprovisioning VA Management
'
' This script implements the amcvaDeprovision virtual attribute used to control
' deprovisioning and reactivation of user accounts in ARS from FIM
'
' ================================================================================
' Custom errors used in this script
Const AMC_ERR_DEPROVISION_CMD = 1
' Names of custom attributes
Const AMC_DEPROVISION_VA = "amcvaDeprovision"
' Names of ARS attributes
Const ARS_DEPROVISION_TYPE = "edsvaDeprovisionType"
Const ARS_DEPROVISION_STATUS = "edsvaDeprovisionStatus"
Const ARS_DEPROVISION_DELETE_DATE = "edsvaDeprovisionDeletionDate"
' ================================================================================
' ARS event handlers
' ================================================================================
Sub onPreModify(Request)
Dim deprovisionCommand
' Only manage the amcvaDeprovision attribute for 'user' objects
If Request.Class <> "user" Then Exit Sub
' Verify whether the VA amcvaDeprovision is modified
deprovisionCommand = Request.Get(AMC_DEPROVISION_VA)
If VarType(deprovisionCommand) <> vbEmpty Then
EventLog.ReportEvent EDS_EVENTLOG_INFORMATION_TYPE, _
"(onPreModify) deprovisionCommand = " & deprovisionCommand
Select Case deprovisionCommand
Case 0
' Reactivate a deprovisioned user object
Reprovision(Request)
Case 1
' Start deprovisioning for this user object
Deprovision(Request)
Case Else
' Unknown command. Generate a fatal error
Err.Raise vbObjectError + AMC_ERR_DEPROVISION_CMD, AMC_DEPROVISION_VA, _
"Invalid deprovision command value: " & deprovisionCommand
End Select
End If
End Sub
Sub onPostGet(Request)
' Only manage the amcvaDeprovision attribute for 'user' objects
If Request.Class <> "user" Then Exit Sub
' Verify whether the VA amcvaDeprovision is requested
If Request.IsAttributeRequested(AMC_DEPROVISION_VA) Then
' Get the requested deprovisioning status
GetDeprovisionStatus(Request)
End If
End Sub
' ================================================================================
' Deprovision
'
' This function triggers deprovisioning of the user object in ActiveRoles Server
' ================================================================================
Sub Deprovision(Request)
EventLog.ReportEvent EDS_EVENTLOG_INFORMATION_TYPE, _
"(Deprovision) Trigger deprovisioning for user " & Request.Name
' Trigger deprovisioning of the user object in ARS by setting the value of the
' edsvaDeprovisionType attribute to 1
DirObj.Put ARS_DEPROVISION_TYPE, 1
DirObj.SetInfo
End Sub
' ================================================================================
' Reprovision
'
' This function reactivates a previously deprovisioned user object in
' ActiveRoles Server
' ================================================================================
Sub Reprovision(Request)
Dim currentDate, dateString
EventLog.ReportEvent EDS_EVENTLOG_INFORMATION_TYPE, _
"(Reprovision) Reactivate deprovisioned user " & Request.Name
' Clear ARS deprovisioning status attributes
Request.PutEx ADS_PROPERTY_CLEAR, ARS_DEPROVISION_STATUS, vbNullString
Request.PutEx ADS_PROPERTY_CLEAR, ARS_DEPROVISION_DELETE_DATE, vbNullString
' Set the description attribute
' currentDate = Now
' dateString = Month(currentDate) & "/" & _
' Day(currentDate) & "/" & _
' Year(currentDate) & " " & _
' Hour(currentDate) & ":" & _
' Minute(currentDate) & ":" & _
' Second(currentDate)
currentDate = now()
If DatePart("h",currentDate) >= 12 Then
strAMPM = "PM"
Else
strAMPM = "AM"
End If
dateString = Right("0" & DatePart("m",currentDate),2) & "/" & _
Right("0" & DatePart("d",currentDate),2) & "/" & _
Right("000" & DatePart("yyyy",currentDate),4) & " " & _
Right("0" & DatePart("h",currentDate),2) & ":" & _
Right("0" & DatePart("n",currentDate),2) & ":" & _
Right("0" & DatePart("s",currentDate),2) & " " & _
strAMPM
Request.Put "description", "Reactivated - " & dateString
End Sub
' ================================================================================
' GetDeprovisionStatus
'
' This function returns the deprovisioning status for the user account
' ================================================================================
Sub GetDeprovisionStatus(Request)
On Error Resume Next
Dim deprovisionStatus
' Retrieve the value of the attribute edsvaDeprovisionStatus
' and set the attribute amcvaDeprovision in the object Request to that value
Err.Clear
DirObj.GetInfoEx Array(ARS_DEPROVISION_STATUS), 0
deprovisionStatus= DirObj.Get(ARS_DEPROVISION_STATUS)
If Err.Number = 0 Then
Request.Put AMC_DEPROVISION_VA, 1
Else
Request.Put AMC_DEPROVISION_VA, 0
End If
End Sub