3.10 SecureLogin Deprovisioning

There are many scenarios that can utilize a policy in which a user account for a connected application is deleted and the Identity Vault account remains. In the Finance scenario, there is a requirement to delete the SAP User account and deprovision the SecureLogin credentials when the User's Identity Vault employeeStatus attribute value is set to ā€œIā€. To handle this situation, the SAP User driver's Subscriber Event Transformation contains a policy to transform the modify attribute value into an object delete. Because the Active Directory account name is still needed after the <delete> command is completed, the <operation-data> event needs to be set on the <delete> command so it is available to the SecureLogin deprovisioning policy in the Input Transformation policy.

<operation-data> <nsl-sync-data> <nsl-target-user-dn> cn=GLCANYON,ou=finance,dc=prod,dc=testco,dc=com </nsl-targer-user-dn> </nsl-sync-data> </operation-data>

The policy for transforming the <modify> event into a <delete> and creating this element is available in the sample Credential Provisioning policies in the SampleSubEventTransform.xml file.

After the policy is created, proceed to Section 6.0, Managing Novell Credential Provisioning Policies.