Symantec IGA

  • 1.  Reverse Modify Sync on IDM 12.6sp5

    Posted May 17, 2016 05:25 PM

    Hi Guys,

     

    Need your help in this regards.

     

    1. We have the following setup in our IDM environment.

    --  Accounts gets created in IDM (CA directory) and then synced down to AD.

    -- Service accounts gets created in AD and then brought into IDM on Explore/ Correlate.

    -- Most of the modification on the accounts occur on AD and then during Explore/Correlate are updated in the IDM.

     

    2. We need the following requirement to be met.

    --  Service accounts will be created in AD and brought into IDM.  (these Service accounts will be present in a particular OU for which E/C definition is set as create to create the accounts in IDM )

    --  During the explore/correlate process, we would like to bring in only 2 attributes from AD to IDM (AD distinguished name and mailbox). Other than these 2 attributes, no attributes should be brought into IDM even though there is a update made on the AD account.

     

     

    I have followed the instructions provided in Policies for Reverse Synchronization - CA Identity Manager - 12.6.5 - CA Technologies Documentation  which speaks about how to reject the attributes on Explore/Correlate.

     

    Even after configuring this policy, I still see the account gets updated in IDM. So basically 2 events are performed upon explore/correlate.

     

    1.  ModifyProvisioningactivity event    (this rejects the attributes) --- Provisioning activity tasks

    2.  Modify User Event   (This updates the IDM attributes)      ----- Provisioning Modify tasks.

     

    Can anyone help me on how to stop the update on IDM during explore/correlate



  • 2.  Re: Reverse Modify Sync on IDM 12.6sp5
    Best Answer

    Posted May 19, 2016 11:49 AM

    I don't believe IM Reverse Sync Policies is what you need. A rejection there would be if someone had update a value on the AD side and then you wanted to reject and have the new value replaced by the old value on the AD Account again. You can also review the following link concerning IM Reverse Sync Policies.

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1681674.aspx

     

    Each acquired endpoint has Endpoint Attribute Mappings. What is listed there will alter what data is retreived via an Explore and then when an Update is run as part of the Explore (optional) it will apply that information to the mapped Provisioning User field. Then an inbound notification will be generated and sent to the IM layer to be applied to the mapped IM User field.

     

    It sounds like what you would want to do is review the Endpoint Attribute Mappings on the AD endpoint as well as review your Explore definition to see whether you are also performing the Update or not.

     

    If further assistance is needed I would recommend opening a support case.



  • 3.  Re: Reverse Modify Sync on IDM 12.6sp5

    Posted May 23, 2016 10:18 AM

    Thanks Kenny.

     

    Removing the Endpoint attribute mapping did the trick.