Symantec IGA

How to provision user attribute which are not custom to AD endpoint?

I have a requirement where I want to provision %ENABLED_STATE% from IDM to AD, 

component   ----  Well Known Name   -----   Physical Name

------------------------------------------------------------------------------------------

IDM user store  --- %ENABLED_STATE% ---- imEnabledState

Provisioning Store --- %ENABLED_STATE% ----- eTIMEnabledState

AD  -----                                                        ------ reedDisableFlag

I have listed reedDisableFlag in schema.ext and able to see reedDisableFlag in custom tab of account template. Now I just anted to know what I have to keep in rule string against reedDisableFlag.

Quick help will be appreciated. 

Thanks! Alok

You would not put the AD managed endpoint account attributes in the IME mappings.

When the IM User's %ENABLED_STATE% is changed this will update the Provisioning User's %ENABLED_STATE% via the IME attribute mappings. At this point internal code will also update the Provisoining User's eTSuspended attribute (0 is active and 1 is suspended) automatically so you you must not map to eTSuspended. When the Provisioning User's eTSuspended is updated the Provisioning Server will propagate the status change to the associated endpoint accounts.

If you have already configured reedDisableFlag in the AD Connector's schema.ext file then you would want to update the AD Account Template's custom tab so that the reedDisableFlag references the provisioning user's eTSuspended attribute. The syntax for the rule string would be %#eTSuspended% and so as the Provisioning User's eTSuspended attribute is updated the value will propagate to reedDisableFlag via the associated provisioning role and account template.

thanks Kenny, yes i am able to provision eTSuspended to AD endpoint. 

Would you please confirm, %ENABLED_STATE% has different possible values like 1,2,4,8,1677216,16777217,16777218 etc. similarly eTSuspended will also have?

Basically I want to replicate %ENABLED_STATE% to AD endpoint's reedDisableFlag.

Thanks! Alok

eTSuspended would only have a value of 0 or 1. So in your case what you will need to do instead is map some other available attribute in the UserStore (i.e. UserStoreAttribute1) to a Provisioning Store custom attribute (i.e. eTCustomField01) and then use a PX Policy such that when you change %ENABLED_STATE% the new value for %ENABLED_STATE% is also set on UserStoreAttribute1 which in turn would be sent out to the Provisioning User to update eTCustomField01. The AD Account Template would then need to reference %#eTCustomField01% (the shorthand for that could be %UCU01%).

Yeah, it seems to resolve my issue. Thanks a lot. 

Thanks Kenny,

Here is what I am doing now.

There is an explicit defined custom attribute say disableFlagCustom in user directory where data is getting propagated from %ENABLED_STATE% using PX. And mapping done for disableFlagCustom with custom attribute of Provisioning Store.

Now rule string is getting used within custom tab of account template to provision the same using rule string %UCU01%.

Note:-

schema extension already done in order to show custom attribute of AD endpoint within custom tab of account template. And Global properties also added against 01 index with the attribute name of provisioning store.

Thanks! Alok