5.9 SecretStore Deprovisioning

There are many scenarios that can utilize a policy in which a user account for a connected application is deleted and the Identity Vault account remains. In the Finance scenario, there is a requirement to delete the GroupWise account and deprovision the SecretStore credentials when the user's Identity Vault employeeStatus attribute value is set to ā€œIā€. To handle this situation, the GroupWise driver's Subscriber Event Transformation contains a policy to transform the modify attribute value into an object delete. Because the eDirectory account name is still needed after the <delete> command is completed, the <operation-data> event needs to be set on the <delete> command so it is available to the SecretStore deprovisioning policy in the Input Transformation policy.

<operation-data> <nss-sync-data> <nss-target-user-dn> cn=GLCANYON,ou=finance,o=Testco Financials </nss-targer-user-dn> </nss-sync-data> </operation-data>

The policy for transforming the <modify> event into a <delete> and creating this element is available in XML format in a file called SampleSubEventTransform.xml files in the cred_prov folder in the utilities directory on the Identity Manager 3.0 Support Pack 1 media.

After the policy is created, proceed to Section 6.0, Managing Novell Credential Provisioning Policies.