Introduction

The purpose of the DeprovisionResourceAssignmentsTaskis to deprovision resource assignments on the target systems. It also deletes resource assignment or changes assignment state if needed.

	Value

	Value
GUID	`8ee5929d98814d69aea5d9f72921c8ff`
Scheduled by default
Interval in seconds	30
Concurrent
Parameters	`uint[] with Identity Ids`

Work Items

There are 3 actions that are done by this task:

Assignment Deprovisioning Deprovision Resource Assignments Task | Assignment Deprovisioning
Marking Assignment to deprovisioning Deprovision Resource Assignments Task | Mark assignments to deprovisioning
Cleanup Deprovision Resource Assignments Task | Cleanup

All these action work to more or less extend on the collection of resource assignments that are suspected as ‘to-be-deprovisioned’. This collection is described below and named PrimaryAssignments.

Primary filter for resource assignments

PrimaryAssignments	Condition

PrimaryAssignments

Condition

AssignmentState

is DeletePending

OR is DeletePendingSetToPendingAssignment

OR Assigned and Ignore flag is true

Core Identity

IsProvisioned set to true

Identity

If task parameter is set - only resource assignments for selected Identities are returned

Support for Deprovisioning delay

AssignmentsWithDeprovisioningDelay	Condition

AssignmentsWithDeprovisioningDelay	Condition
current assignment → Resource → ResourceType → DeallocationDelayInSeconds	greater than 0
AssignmentState	is not `DeletePendingSetToPendingAssignment`

If the assignment from AssignmentsWithDeprovisioningDelay does not have MarkedForDeprovisioningDate - it will be removed from PrimaryAssignments collection and added to AssignmentsToMarkForDeprovisioning.

Also if it does have MarkedForDeprovisioningDate but it’s time did not come - it will be removed from PrimaryAssignments collection.

Remove Assignments That Should be Kept Because of Role Assignment

There can be situation described in https://itsense.atlassian.net/browse/IMS-6906 To fix it there is a filter that removes assignment from PrimaryAssignments if they are there because of valid role assignment.

Searching for valid role assignments:

Servicedmcore_RoleAssignments	Condition

Servicedmcore_RoleAssignments	Condition
Deny	is `false`
Ignore	is `false`
ValidFrom, ValidTo	NOW is between `ValidFrom` and `ValidTo`
State	`New` OR `Assigned` OR `PendingAssignment` OR `PendingApproval`

Assignments reasons are gathered for these valid role assignments.

Resource assignments that have as a AssignmentReason the valid role assignments will be removed from PrimaryAssignments (and so not deprovisioned).

Check for Same Assignment

Resource Assignemnts from PrimaryAssignments that are also assigned by other valid assignment are moved to ResourceAssignmentsToDelete.

Check if the assignment is the same:

CoreIdentity is the same
Resource is the same
IdentityType is the same
assignment is not Ignore
assignment is
- in state Assigned
- or PendingAssignment and not Ignore and NOW is between ValidFrom and ValidTo

Assignment Deprovisioning

The assignments left in PrimaryAssignments after all filtering above will be deprovisioned.

There is one more check for active features:

	Condition

	Condition
resource assignment → Resource → ResourceType → TargetSystem → SystemRecurringTaskFeatures	DeprovisionResourceFromIdentity (14) has to be active
resource assignment → IdentityType → TargetSystem → SystemRecurringTaskFeatures	DeprovisionResourceFromIdentity (14) has to be active
resource assignment → Resource → ResourceType → SystemRecurringTaskFeatures	DeprovisionResourceFromIdentity (14) has to be active

Deprovisioning starts with running Deallocation Workflow.

Elsa Deallocation workflow can be set on ResourceType (servicedmcore_resource_type_workflow table).

Workflow Foundation Deallocation workflow can be set up directly on the Resource (DeallocateWorkflow column).

If resource has DeletePending set to true and ResourceAccessLevel has SkipDeprovisioningAssignmentUponResourceDeletion set to true - the resource assignment will not be deprovisioned (there should be message in the logs).

Otherwise the deprovisioning will run. The system connector will run RemoveResourceFromIdentity or RemoveIdentityFromResource depending on LinkDirection from Resource Provisioning Configuration.

Last step is to adjust the resource assignment from the database.

If resource assignment has Ignore set to true and state Assigned or if it is in state DeletePendingSetToPendingAssignment - the assignment state will be changed to AssignmentPending

Otherwise it will be deleted from database.

Mark assignments to deprovisioning

Resource assignments gathered in AssignmentsToMarkForDeprovisioning (Deprovision Resource Assignments Task | Support for Deprovisioning delay ) will be checked again if MarkedForDeprovisioningDate is empty and will get MarkedForDeprovisioningDate set to NOW.

Cleanup

Cleanup runs for resource assignments gathered in ResourceAssignmentsToDelete (Deprovision Resource Assignments Task | Check for Same Assignment ) and ones that are for unprovisioned Identity (filter below)

GetAssignmentsToDeleteFromUnprovisionedIdentities	Condition

GetAssignmentsToDeleteFromUnprovisionedIdentities	Condition
AssignmentState	is `DeletePending`
Identity → IsProvisioned	is `true`

Cleanup action:

For assignments that have Ignore set to true:

set state to AssignmentPending (unless it is Assigned when no action is taken)

For assignments that have Ignore set to false:

if the state is DeletePendingSetToPendingAssignment then set state to AssignmentPending
otherwise delete resource assignment from database