Symantec Access Management

PolicyXpress and Account Sync at Task Completion 

Jun 16, 2015 10:43 AM

Identity Manager developers have been having problems over the years with PolicyXpress policies when the task fires on the completion of a task when Account Sync is set to on Task Completion. As a workaround, users have changed the Account Synchronization to "On Every Event". This method makes the policy run properly, but it causes a lot of additional network traffic and overhead.

 

The problem here is that often, the PX data will rely on data in the user attributes of the corporate user. When account sync fires, changes are sent down to the Provisioning Server and any changes that are made there have to circle back via the etacallback channel and a new task is run in IM via inbound sync. This would be either Provisioning Create User, or Provisioning Modify User. Because the account sync and the PX fire essentially at the same time, the PX completes before the inbound sync completes. This will leave you with null or incorrect data for the user attributes based on the corporate user.

 

When you use Account Sync on every event, the data is sent early and often down to the provisioning layer and often times, the data is synched back to the corporate user before the task completes, as task is slower now, due to all of the separate account syncs.

 

If you want to use any data from the user attributes, you'll need to avoid Account Sync at task completion. If you can get the same data from the endpoint layer via the Account Values instead, the PX will work, as you avoid the problem with inbound sync.

Statistics
0 Favorited
4 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.