0
Not a bug

accountExpires missing when running Request Schema from AD

Adrian Corston 1 year ago in UNIFYBroker/Microsoft Active Directory updated by Adam van Vliet (Chief Information Security Officer) 1 year ago 4

When I run 'Request Schema' on the Broker/AD connector, the 'accessExpires' AD attribute does not appear.

How do I add this attribute to my connector so that I can synchronise it in Broker/Plus?

Affected Versions:
Fixed by Version:

Answer

Answer
Not a bug

It is capable of reading these fields. I've added an item to the backlog to improve usability.

GOOD, I'M SATISFIED
Satisfaction mark by Adrian Corston 1 year ago

Never mind, I added it using the 'Add Field' button.  It hadn't worked when I tried that initially, as I had used an incorrect field name ("accessExpires" instead of "accountExpires").  Broker silently ignored the incorrectly named field and didn't report any error, so it took a long time to identify the error.

Under review

There are over a thousand fields, which would you like to be in the default schema? UNIFYBroker doesn't know whether you have entered a typo, it could be a legitimate custom field.

Options are:
* All of the fields in the connected AD schema (which is what "Request Schema" would seem to imply)
* None (remove the Request Schema button altogether)
* Survey the Professional Services group (or the internet) to see which attributes are in common usage

A popup to notify the configurer of the limitations of the "Request Schema" functionality would be worthwhile, along with some explanation of what that button does on the AD Connector.

The Broker/AD documentation on voice does say that "UNIFYBroker/Microsoft Active Directory is capable of reading, creating, updating and moving Active Directory objects of any objectClass and all standard attributes" (emphasis mine).  If "all standard attributes" isn't intended to equate to the core AD attribute list (https://docs.microsoft.com/en-us/windows/desktop/adschema/attributes-all - which is a massive list and I agree too many) then I am pretty sure most IAM professionals would agree that accountExpires is a common attribute that a customers might expect to have managed in an IAM automation scenario.

Answer
Not a bug

It is capable of reading these fields. I've added an item to the backlog to improve usability.