Introduction
The purpose of the DeprovisionResourceAssignmentsTaskis to deprovision resource assignments on the target systems. It also deletes resource assignment or changes assignment state if needed.
| Value |
|---|---|
GUID |
|
Scheduled by default |
|
Interval in seconds | 30 |
Concurrent |
|
Parameters | uint[] with Identity Ids |
Work Items
Task does multiple things but…. how to write it well??
Primary filter for resource assignments
PrimaryAssignments | Condition |
|---|---|
AssignmentState | is OR is OR |
Core Identity |
|
Identity | If task parameter is set - only resource assignments for selected Identities are returned |
Support for Deprovisioning delay
AssignmentsWithDeprovisioningDelay | Condition |
|---|---|
current assignment → Resource → ResourceType → DeallocationDelayInSeconds | greater than 0 |
AssignmentState | is not |
If the assignment from AssignmentsWithDeprovisioningDelay does not have MarkedForDeprovisioningDate - it will be removed from PrimaryAssignments collection and added to AssignmentsToMarkForDeprovisioning.
Also if it does have MarkedForDeprovisioningDate but it’s time did not come - it will be removed from PrimaryAssignments collection.
TODO: write about RemoveAssignmentsThatShouldBeKeptBecauseOfRoleAssignment
Check for Same Assignment
Resource Assignemnts from PrimaryAssignments that are also assigned by other valid assignment are moved to ResourceAssignmentsToDelete.
Check if the assignment is the same:
CoreIdentity is the same
Resource is the same
IdentityType is the same
assignment is not
Ignoreassignment is
in state
Assignedor
PendingAssignmentand notIgnoreand NOW is betweenValidFromandValidTo
Assignment Deprovisioning
The assignments left in PrimaryAssignments after all filtering above will be deprovisioned.
There is one more check for active features:
Condition | |
|---|---|
resource assignment → Resource → ResourceType → TargetSystem → SystemRecurringTaskFeatures | DeprovisionResourceFromIdentity (14) has to be active |
resource assignment → IdentityType → TargetSystem → SystemRecurringTaskFeatures | DeprovisionResourceFromIdentity (14) has to be active |
resource assignment → Resource → ResourceType → SystemRecurringTaskFeatures | DeprovisionResourceFromIdentity (14) has to be active |
Deprovisioning starts with running Deallocation Workflow.
Elsa Deallocation workflow can be set on ResourceType (servicedmcore_resource_type_workflow table).
Workflow Foundation Deallocation workflow can be set up directly on the Resource (DeallocateWorkflow column).
If resource has DeletePending set to true and ResourceAccessLevel has SkipDeprovisioningAssignmentUponResourceDeletion set to true - the resource assignment will not be deprovisioned (there should be message in the logs).
Otherwise the deprovisioning will run. The system connector will run RemoveResourceFromIdentity or RemoveIdentityFromResource depending on LinkDirection from Resource Provisioning Configuration.
Last step is to adjust the resource assignment from the database.
If resource assignment has Ignore set to true and state Assigned or if it is in state DeletePendingSetToPendingAssignment - the assignment state will be changed to AssignmentPending
Otherwise it will be deleted from database.
Mark assignments to deprovisioning
Resource assignments gathered in AssignmentsToMarkForDeprovisioning will be checked again if MarkedForDeprovisioningDate is empty and will get MarkedForDeprovisioningDate set to NOW.
Cleanup
Cleanup runs for resource assignments gathered in ResourceAssignmentsToDelete and ones that are for unprovisioned Identity (filter below)
GetAssignmentsToDeleteFromUnprovisionedIdentities | Condition |
|---|---|
AssignmentState | is |
Identity → IsProvisioned | is |
Cleanup action:
For assignments that have Ignore set to true:
set state to
AssignmentPending(unless it isAssignedwhen no action is taken)
For assignments that have Ignore set to false:
if the state is
DeletePendingSetToPendingAssignmentthen set state toAssignmentPendingotherwise delete resource assignment from database