9 Replies Latest reply on Sep 9, 2018 9:17 PM by MarkLarvo

    Employee Data Feed - Update all records with matching Employee ID

    TimDensmore Apprentice

      We have a feed set up that marks which employees need to be disabled and then runs a workflow to disable them. It works fine except for in the case that one employee has multiple user accounts sharing the same Employee ID.

       

      This is expected function as normally you would want to do a match on an entirely unique field, but in our case what we actually want to do is update all accounts sharing a certain Employee ID.

      We can't really change our feed because the Employee Deletes file comes from AD and any field we would use to find their account within Ivanti would have the same problem with not being unique.

       

      My question is, is there any way to use a data feed to match on all records that fit a certain criteria and update them (i.e. sharing the same Employee ID)? As I said this is not a common case, but it is one that comes up.

       

      Thanks,

      Tim

        • 1. Re: Employee Data Feed - Update all records with matching Employee ID
          Jonathan.Schmidt SupportEmployee

          Hi Tim,

           

          This is not possible within the data import connection.  Are you not using the LDAP DN imported to bring in the Employee data and match on it?  How do these extra accounts get created?  Perhaps you need to build out something that uses a custom relationship and links together all records related to one employee.  Once done I think you could build a trigger that when any one of them is disabled it does the same for the others that are linked?

           

          That's just a first-look idea I had.  It's certainly a complicated situation so the solution will likely also be complicated.

           

          Hope this helps

           

          Jon

          • 2. Re: Employee Data Feed - Update all records with matching Employee ID
            TimDensmore Apprentice

            Jonathan,

             

            We are using an LDAP connection for employee records, but the way we are disabling employees in an automated fashion is through a flat file data feed. We couldn't figure out a way to disable records with negative affirmation (i.e. disable users that are missing from the LDAP connection), so what we had to do is generate a flat file regularly of all users that were removed from Active Directory in the past day (i.e. users that existed previously and now do not).

             

            There's no object we are linking or anything that makes this happen -- the records match the employee object and update a flag which causes them to be disabled, as well as some other changes.

             

            Does Ivanti Support matching multiple objects and linking upon import? If so, then maybe what we could do is have a designated object that will search and link for all records having the same employee ID and update that way.

             

            Thanks,

            Tim

            • 3. Re: Employee Data Feed - Update all records with matching Employee ID
              Jonathan.Schmidt SupportEmployee

              No we can't match multiple object on a single import.

               

              I'm still confused how these extra accounts get into ISM and if you are operating on an LDAP import.  Do they have the proper LDAP DN?

               

              Jon

              • 4. Re: Employee Data Feed - Update all records with matching Employee ID
                TimDensmore Apprentice

                Jonathan,

                 

                It's not a matter of extra accounts getting into Ivanti, the issue is once they are already there, we want to have an automated process to disable any employees that leave the company. We have an LDAP connection that feeds users in from AD, but it doesn't look like Ivanti disables them automatically when they are no longer in the feed.

                 

                Thanks,

                Tim

                • 5. Re: Employee Data Feed - Update all records with matching Employee ID
                  Jonathan.Schmidt SupportEmployee

                  Hi Tim,

                   

                  So if they come in via LDAP import they should contain the LDAP DN.  If that's the case it should be trivial to match that LDAP DN from your flat file of "missing" accounts to the existing Employee records and mark them disabled.

                   

                  If I'm missing something here then perhaps giving us an example to look at with what's in the database for a set of these accounts and what's in your flat file might be able to lend more insight.

                   

                  Jon

                  • 6. Re: Employee Data Feed - Update all records with matching Employee ID
                    TimDensmore Apprentice

                    Jonathan,

                     

                    I see what you mean. I was trying to make the link happen with the file I was given -- simply the employee ID and a Boolean field called "delete". You're saying instead of employee ID which is unique, I should just have the DN put in as a field for the flat file, and do the matching that way -- is that what you're saying?

                     

                    Thanks,

                    Tim

                    • 7. Re: Employee Data Feed - Update all records with matching Employee ID
                      TimDensmore Apprentice

                      Edit: whoops, I meant to say the employee ID is NOT unique

                      • 8. Re: Employee Data Feed - Update all records with matching Employee ID
                        Jonathan.Schmidt SupportEmployee

                        Hi Tim,

                         

                        Yeah, have your flat file have data that's guaranteed to be unique and match the exact records you need to manipulate.  I had assumed the flat file operates on DN as that's the best key in most LDAP environments.

                         

                        Jon

                        • 9. Re: Employee Data Feed - Update all records with matching Employee ID
                          MarkLarvo Specialist

                          HI Tim,

                           

                          We had a similar situation in our environment. We tried to use the automated disabled feature but our SysAdmin team moves the AD objects out of the User folder upon departure. This meant we never included those AD objects in the LDAP sync to match up to those feature parameters.

                           

                          Example of what did not work:

                          kesm ldap disable example.png

                          AD was also missing some additional HR fields we wanted. We accomplish all of this in a job that runs after the LDAP sync. A SQL job looks at all employee records in ISM and then pulls matching criteria from a SQL table of HR data. One of these fields is employment status as a Boolean value: active = True.

                           

                          Since the ISM field IsDisabled is the opposite Boolean value we write our value to another field which in turn sets IsDisabled.

                          kesm is disabled.png

                          Another rule changes the Status value too

                          $(if KE_ActiveFlag then "Active" else "Terminated")

                           

                          We also use the employee number as our unique value for employee records. We allow people to change network ids when names change. Employee number is our absolute unique value to identify personnel.

                           

                          Hope that can help in some way! Mark.