...

uint[] with Identity Ids

Work Items

Task does multiple things but…. how to write it well??There are 3 actions that are done by this task:

• Assignment Deprovisioning https://itsense.atlassian.net/wiki/spaces/IKB/pages/edit-v2/2583199778#Assignment-Deprovisioning

• Marking Assignment to deprovisioning https://itsense.atlassian.net/wiki/spaces/IKB/pages/edit-v2/2583199778#Mark-assignments-to-deprovisioning

• Cleanup https://itsense.atlassian.net/wiki/spaces/IKB/pages/edit-v2/2583199778#Cleanup

All these action work to more or less extend on the collection of resource assignments that are suspected as ‘to-be-deprovisioned’. This collection is described below and named PrimaryAssignments.

Primary filter for resource assignments

...

If the assignment from AssignmentsWithDeprovisioningDelay does not have MarkedForDeprovisioningDate - it will be removed from PrimaryAssignments collection and added to AAAAssignmentIdsToMarkForDeprovisioning AssignmentsToMarkForDeprovisioning.

Also if it does have MarkedForDeprovisioningDate but it’s time did not come - it will be removed from PrimaryAssignments collection.TODO: write about RemoveAssignmentsThatShouldBeKeptBecauseOfRoleAssignment

Remove Assignments That Should be Kept Because of Role Assignment

There can be situation described in

Searching for valid role assignments:

Assignments reasons are gathered for these valid role assignments.

Resource assignments that have as a AssignmentReason the valid role assignments will be removed from PrimaryAssignments (and so not deprovisioned).

Check for Same Assignment

There is no action for Resource Assignemnts from PrimaryAssignments that are also assigned by other valid assignment are moved to ResourceAssignmentsToDelete.

Check if the assignment is the same:

...

Deprovisioning starts with running Deallocation Workflow.

Elsa Deallocation workflow can be set on ResourceType (servicedmcore_resource_type_workflow table).

Workflow Foundation Deallocation workflow can be set up directly on the Resource (DeallocateWorkflow column).

If resource has DeletePending set to true and ResourceAccessLevel has SkipDeprovisioningAssignmentUponResourceDeletion set to true - the resource assignment will not be deprovisioned (there should be message in the logs).

Otherwise the deprovisioning will run. The system connector will run RemoveResourceFromIdentity or RemoveIdentityFromResource depending on LinkDirection from Resource Provisioning Configuration.

Last step is to adjust the resource assignment from the database.

If resource assignment has Ignore set to true and state Assigned or if it is in state DeletePendingSetToPendingAssignment - the assignment state will be changed to AssignmentPending

Otherwise it will be deleted from database.

Mark assignments to deprovisioning

Resource assignments gathered in AssignmentsToMarkForDeprovisioning (https://itsense.atlassian.net/wiki/spaces/IKB/pages/edit-v2/2583199778#Support-for-Deprovisioning-delay ) will be checked again if MarkedForDeprovisioningDate is empty and will get MarkedForDeprovisioningDate set to NOW.

Cleanup

Cleanup runs for resource assignments gathered in ResourceAssignmentsToDelete (https://itsense.atlassian.net/wiki/spaces/IKB/pages/edit-v2/2583199778#Check-for-Same-Assignment ) and ones that are for unprovisioned Identity (filter below)

Cleanup action:

For assignments that have Ignore set to true:

• set state to AssignmentPending (unless it is Assigned when no action is taken)

For assignments that have Ignore set to false:

• if the state is DeletePendingSetToPendingAssignment then set state to AssignmentPending

• otherwise delete resource assignment from database