Symantec Access Management

How to auto sync user, group objects in CA Directory when ever group member ship added/ removed in one object through dx commands. Like AD. If I delete group,  how do i make sure it can be deleted from all user objects.  

The following feature can be used to achieve this:

Active Directory memberOf Attribute - CA Directory - 12.0.18 - CA Technologies Documentation 

Thanks Justin for prompt reply with useful info. If this approach implemented is there any impacts on  CA IDM like performance, sociability (2 Lakh users, 2 Lakh Groups), out of box group handling.

Yes the performance impact depends on the use case. I'm not sure how IDM uses groups.

The impact is reasonably small for updates to groups, for example, adding a single member to a group will trigger one additional update.

If a group is added with 200K members, then this will trigger 200K updates to populate the memberOf attribute in each entry. This will have an initial drain on performance so such a bulk update could potentially be run out of ours.

If a group modifies are performed using remove-attribute member, add-attribute member, instead of remove-value "DN", add-value "DN" then this would be inefficient.

The normal use case for group is that a user is provisioned/de-provisioned then added/removed to/from a number of groups. Each update will trigger an additional update to keep memberOf synchronized.

As an aside, the memberOf feature only works for static groups. CA Directory also supports dynamic groups. We have a feature called views that can be configured to return memberOf that is virtual (dynamically populated). Views also work for static groups but using them requires the LDAP client to redirect requests to a special base object to trigger this behavior. This may not work within the confines of an existing application.