Skip to main content

Considerations when configuring import rules to offboard or delete managed objects

When configuring import rules to offboard objects (such as accounts or systems) or delete systems careful consideration and review should be taken. The planned offboard/delete should be reviewed against:

  • All existing managed account / managed system / target system bind rules to ensure no conflicts with those rules.

  • The current solution design to see if the offboard or delete use case is already handled; for example if you are planning to offboard a managed object by attribute, are there already business requirements and/or rules which will offboard the object by time (such as how long the system is offline)

Lack of proper review may result in a misconfiguration. Common misconfiguration issues include:

  1. Unintentional offboard or deletion of a managed object

    When creating an unbind or delete rule it will be able to offboard/delete an object originally bound by any of the defined bind rules. If the conditions of your unbind rule are not specific enough you may offboard or delete an object you were originally not intending to.

    Misconfiguration example

    • Managed System Bind Rule 1:

      • (Condition 1) "Name" contains "UAT"

      • (Condition 2) "DistinguishedName" contains "DC=mydomain, DC=com"

    • Managed System Bind Rule 2:

      • (General) "Unbind objects if they no longer satisfy this rule" enabled

      • (Condition 1) "Name" contains "UAT"

      • (Condition 2) "DistinguishedName" contains "DC=mydomain2, DC=com"

      • (Condition 3) "compNotDiscoveredPastThreshold" = "0" (assume PUSH COMP NOT DISCOVERED THRESHOLD = 60)

    • Managed System Unbind Rule:

      • (Intended Use Case) Offboard all UAT systems that are offline for 30 days or more.

      • (Condition 1) "Name" contains "UAT"

      • (Condition 2) "compNotDiscoveredDays" >= 30.

    In the above example the Unbind rule could unintentionally offboard systems bound by “Managed System Bind Rule 2” earlier (30 days) than they were meant to be (60 days).

  2. Rule definitions which can repeatedly offboard/bind an object or delete/add a system

    If the conditions defined by an account/system bind and unbind rule or target system bind and delete rule both match an object it can cause the object to be repeatedly processed by those rules every time they are evaluated.

    Referring back to the misconfiguration example above, assume a system named UAT2 in "DC=mydomain2,DC=com". When UAT2 is offline for between 30 to 60 days it will pass the conditions for `Managed System Bind Rule 2` and `Managed System Unbind Rule`. On every iteration of import rule evaluation the system will be onboarded and offboarded.

In this section: