Dredging for Inactive Accounts
Novell Cool Solutions: Feature
By Rob Schneider
Digg This -
Posted: 7 Nov 2007
We need a way to "dredge" the tree for accounts that have been inactivated for longer than 60 days, and flag them for deletion (or, actually delete them if you want to modify the code).
Use a combination of a "Job" injecting a trigger, and a policy acting on that trigger.
The Job inserts a "Subscriber Channel Trigger" with the name "AAA Account Delete". I happen to have this job on my work order driver. Which driver you run a job from is MOSTLY moot. It is CRITICAL that it is not on the same driver as that which takes action when the Employee Status changes. If it were, loopback protection would make this ineffective. From a best practices perspective, it might make sense to consolidate ALL jobs in a single driver.
The Policy, (conveniently on the Subscriber Channel Event Transform, so that it sees the injected trigger) queries a container specified, looking for all users with employeeStatus "I". It then tests those users to see if the "inactiveDate" (a time attribute automatically set in other drivers when a user is flagged "I") is 60 days or more prior to today's date. I suppose if you want to make this policy portable across multiple environments, it could be improved by referring to a number of GCV's, especially for the query container. But then again, if you have multiple jobs and each queries a different container ... there may be diminishing returns on GCV'ing.
Notes on content of the policy below:
- "AAA Account delete" is the name of the "Job". While my policy COULD get away with only checking for this text appearing on the subscriber channel, narrowing the number of possible hits by also including "if operation=trigger" assures more accurate application of the job.
- $current is current time. Note that you need the name spaces defined to call the Java classes that set your times.
- $inactiveTest is $current minus 60 days (-50400000 seconds).
- employeeStatus can be A, I or D ... your logic may vary. Responses to this value being set by other drivers/methods are handled in other drivers. This policy's purpose is limited to setting the flag to "D" when criteria are met.
Note: Special thanks to Father Ramon for assistance working through the creation of this policy.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.designer.idm.policybuilder_126.96.36.199709271226\DTD\dirxmlscript.dtd"><policy xmlns:jSystem="http://www.novell.com/nxsl/java/java.lang.System" xmlns:jdate="http://www.novell.com/nxsl/java/java.util.Date" xmlns:jformat="http://www.novell.com/nxsl/java/java.text.SimpleDateFormat" xmlns:jtimezone="http://www.novell.com/nxsl/java/java.util.TimeZone"> <rule> <description>Inactive 60 Days -- Set Employee Status = D</description> <comment xml:space="preserve">If an account has been inactive for 60 days, it is considered for Deletion, which in this system means it will be moved to the RETIRED container. That activity is handled elsewhere, as there may be OTHER sources of setting this attribute to a "D" which would be missed if we incorporated the move in this rule...</comment> <conditions> <and> <if-operation mode="case" op="equal">trigger</if-operation> <if-xpath op="true">"AAA Account Delete"</if-xpath> </and> </conditions> <actions> <do-set-local-variable name="current" scope="policy"> <arg-string> <token-xpath expression="round(jdate:getTime(jdate:new()) div 1000)"/> </arg-string> </do-set-local-variable> <do-set-local-variable name="inactiveTest" scope="policy"> <arg-string> <token-xpath expression="$current - '5040000'"/> </arg-string> </do-set-local-variable> <do-for-each> <arg-node-set> <token-query class-name="User" datastore="src" max-result-count="50"> <arg-dn> <token-text xml:space="preserve">data\usr\test</token-text> </arg-dn> <arg-match-attr name="employeeStatus"> <arg-value type="string"> <token-text xml:space="preserve">I</token-text> </arg-value> </arg-match-attr> <arg-string> <token-text xml:space="preserve">AAAInactiveTime</token-text> </arg-string> </token-query> </arg-node-set> <arg-actions> <do-set-local-variable name="dn" scope="policy"> <arg-string> <token-xpath expression="$current-node/@src-dn"/> </arg-string> </do-set-local-variable> <do-set-local-variable name="InactiveDate" scope="policy"> <arg-string> <token-src-attr name="AAAInactiveTime"> <arg-dn> <token-local-variable name="dn"/> </arg-dn> </token-src-attr> </arg-string> </do-set-local-variable> <do-if> <arg-conditions> <and> <if-local-variable mode="numeric" name="InactiveDate" op="lt">$inactiveTest$</if-local-variable> </and> </arg-conditions> <arg-actions> <do-set-src-attr-value name="employeeStatus"> <arg-dn> <token-local-variable name="dn"/> </arg-dn> <arg-value> <token-text xml:space="preserve">D</token-text> </arg-value> </do-set-src-attr-value> </arg-actions> </do-if> </arg-actions> </do-for-each> </actions> </rule> </policy>
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com