Process To Email The Manager Of A Service Account When Their End Date Is Approaching
A long term goal of mine, has been to get “account requestors” to take ownership of their Service Accounts.
Attempts have been made by my predecessors to record an owner of a service account, but it has simply been done as a string attribute of the AD object. Thus, when the person leaves and the account is deleted, the service account becomes orphaned, with an reference to a long forgotten ID.
So thinking of a way to carry this out….. I am already using the email address of the owner of an administrative account to make decisions about whether the administrative account should be enabled or disabled – based on the end date of the owner – discovered by looking up the email address in the MV.
I figured that I could do something similar for those Service Accounts. I’ll be creating service accounts via the portal, the owner of the account will be assigned to the manager attribute. So, how can I get the email address of the manager into the MV as a thing that I can lookup??? I can’t do an advanced flow rule on the FIMMA, and even if I could, Manager is a reference attribute, so I can’t do it anyway… I found an article about dereferencing another attribute, that get me going down this path….. The solution is simple. Create a new attribute and binding in the portal – “ManagerEmailAddress”, then setup a workflow as follows:
When the account falls into scope, the managers email address is set into that new attribute – in the sync engine create a direct flow to put that into the MV (I’m using “serialNumber” – for one reason or another, that I wont go into :)).
I have on the import from AD, some code to set an MV boolean flag – “functionalID” – if the DN of the person object contains the strings found in the Service Account OU’s, thenfunctionalID = True. This attribute is pushed into the portal and is used in set definitions.
So, I’m getting there. Now I need something to set another flag in the MV that will go to the portal. this one defines if the owner of the Service Account is approaching their end date (30 days prior):It is defined on the Import from AD and populates the MV attribute “functionalID-owner-expiring”
| Case "functionalID-owner-expiring-ADMA-Import" | |
| If csentry.DN.ToString.ToLower.Contains("service") Or csentry.DN.ToString.ToLower.Contains("somethingelse") Then | |
| If mventry("serialNumber").IsPresent Then | |
| Dim AdminEntry() As MVEntry = Utils.FindMVEntries("mail", mventry("serialNumber").Value) | |
| If AdminEntry.Length <> 0 Then | |
| 'We got an entry, so work with it... If the employeeEndDate of the parent account is within 30 days, set the flag - used in the portal to email the manager of the account. | |
| If AdminEntry(0).Item("employeeEndDate").IsPresent Then | |
| Dim EndDate As Date = DateTime.ParseExact(AdminEntry(0).Item("employeeEndDate").Value.ToString, "yyyy-MM-ddTHH:mm:ss.000", provider).Date | |
| Dim nowTime As Date = Date.Now.Date.AddDays(30) | |
| If EndDate <= nowTime Then | |
| 'the parent account will be disabled within 30 days, so set the expiry flag in the MV to true: | |
| mventry("functionalID-owner-expiring").BooleanValue = True | |
| ElseIf EndDate > nowTime Then | |
| 'the parent account is still active so set the flag to false: | |
| mventry("functionalID-owner-expiring").BooleanValue = False | |
| End If | |
| End If | |
| ElseIf AdminEntry.Length = 0 Then | |
| If Not generateArrayFromFile("C:\FIMControl\IgnoreFunctionalIDOwner.txt").Contains(mventry("serialNumber").Value.ToLower) Then | |
| Throw New FailedSearchException("Functional ID Owner NOT Found!" & mventry("accountName").Value.ToLower) | |
| End If | |
| End If | |
| End If |
by Of course after initial code definition, I found another of those inevitable exceptions, so added the generateArrayFromFile function, with a reference (in txt file) to the email address that should be ignored.
Create attribute and binding in the portal for FunctionalID-owner-expiring
Setup an Export in the FIMMA for the new attribute
Create a set: FunctionalID = True and FunctionalID-owner-expiring = True.
Create notification workflow and mail template: notification to [//Target/Manager], then the set transition MPR.
I think I have it, just need to do a little testing to see that it works as expected.
I’m still a long way from the stated goal, as I still need to find “owners” for all of those accounts that have been created in the past.