Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

 

Value

GUID

8ee5929d98814d69aea5d9f72921c8ff

Scheduled by default

(tick)

Interval in seconds

30

Concurrent

(error)

Parameters

Code Block
uint[] with Identity Ids

Work Items

Task does multiple things but…. how to write it well??There are 3 actions that are done by this task:

All these action work to more or less extend on the collection of resource assignments that are suspected as ‘to-be-deprovisioned’. This collection is described below and named PrimaryAssignments.

Primary filter for resource assignments

...

If the assignment from AssignmentsWithDeprovisioningDelay does not have MarkedForDeprovisioningDate - it will be removed from PrimaryAssignments collection and added to AAAAssignmentIdsToMarkForDeprovisioning AssignmentsToMarkForDeprovisioning.

Also if it does have MarkedForDeprovisioningDate but it’s time did not come - it will be removed from PrimaryAssignments collection.TODO: write about RemoveAssignmentsThatShouldBeKeptBecauseOfRoleAssignment

Remove Assignments That Should be Kept Because of Role Assignment

There can be situation described in

Jira Legacy
serverSystem Jira
serverIdb6044a4e-88a0-3058-b0a9-47c0688fc6c9
keyIMS-6906
To fix it there is a filter that removes assignment from PrimaryAssignments if they are there because of valid role assignment.

Searching for valid role assignments:

Servicedmcore_RoleAssignments

Condition

Deny

is false

Ignore

is false

ValidFrom, ValidTo

NOW is between ValidFrom and ValidTo

State

New OR Assigned OR PendingAssignment OR PendingApproval

Assignments reasons are gathered for these valid role assignments.

Resource assignments that have as a AssignmentReason the valid role assignments will be removed from PrimaryAssignments (and so not deprovisioned).

Check for Same Assignment

There is no action for Resource Assignemnts from PrimaryAssignments that are also assigned by other valid assignment are moved to ResourceAssignmentsToDelete.

Check if the assignment is the same:

  • CoreIdentity is the same

  • Resource is the same

  • IdentityType is the same

  • assignment is not Ignore

  • assignment is

    • in state Assigned

    • or PendingAssignment and not Ignore and NOW is between ValidFrom and ValidTo

Assignment Deprovisioning

The assignments left in PrimaryAssignments after all filtering above will be deprovisioned.

There is one more check for active features:

Condition

resource assignment → Resource → ResourceType → TargetSystem → SystemRecurringTaskFeatures

DeprovisionResourceFromIdentity (14) has to be active

resource assignment → IdentityType → TargetSystem → SystemRecurringTaskFeatures

DeprovisionResourceFromIdentity (14) has to be active

resource assignment → Resource → ResourceType → SystemRecurringTaskFeatures

DeprovisionResourceFromIdentity (14) has to be active

Deprovisioning starts with running Deallocation Workflow.

Elsa Deallocation workflow can be set on ResourceType (servicedmcore_resource_type_workflow table).

Workflow Foundation Deallocation workflow can be set up directly on the Resource (DeallocateWorkflow column).

If resource has DeletePending set to true and ResourceAccessLevel has SkipDeprovisioningAssignmentUponResourceDeletion set to true - the resource assignment will not be deprovisioned (there should be message in the logs).

Otherwise the deprovisioning will run. The system connector will run RemoveResourceFromIdentity or RemoveIdentityFromResource depending on LinkDirection from Resource Provisioning Configuration.

Last step is to adjust the resource assignment from the database.

If resource assignment has Ignore set to true and state Assigned or if it is in state DeletePendingSetToPendingAssignment - the assignment state will be changed to AssignmentPending

Otherwise it will be deleted from database.

Mark assignments to deprovisioning

Resource assignments gathered in AssignmentsToMarkForDeprovisioning (https://itsense.atlassian.net/wiki/spaces/IKB/pages/edit-v2/2583199778#Support-for-Deprovisioning-delay ) will be checked again if MarkedForDeprovisioningDate is empty and will get MarkedForDeprovisioningDate set to NOW.

Cleanup

Cleanup runs for resource assignments gathered in ResourceAssignmentsToDelete (https://itsense.atlassian.net/wiki/spaces/IKB/pages/edit-v2/2583199778#Check-for-Same-Assignment ) and ones that are for unprovisioned Identity (filter below)

GetAssignmentsToDeleteFromUnprovisionedIdentities

Condition

AssignmentState

is DeletePending

Identity → IsProvisioned

is true

Cleanup action:

For assignments that have Ignore set to true:

  • set state to AssignmentPending (unless it is Assigned when no action is taken)

For assignments that have Ignore set to false:

  • if the state is DeletePendingSetToPendingAssignment then set state to AssignmentPending

  • otherwise delete resource assignment from database