Symantec IGA

  • Private Community

  • 1.  How to define correlation rule / reverse synchronization to define mapping for only selected attribute of CORP store against AD endpoint

    Posted Sep 15, 2018 12:32 PM

    Hi Friends,

    I need your help to define correlation rule / reverse synchronization, where i want to update only few attribute in CORP store from Ad end point when correlation rule executes. As well when explore/correlate rule executes
    i don’t want any new user creation in CA system if explore and explore finds any new account at end point which is not present into corp store.

    Right now I have defined a corelation attribute global user by which search at end point done and associated account is getting updated.

     

     

    Problem here is :-

    My co-relation is creating user into provisioning system under endpoint section if user is present at end point but not in provisioning system.

    Please note: this user creation is only under endpoint not as a global user

    Next one, right now i dont know how to define set of attribute for which only reverse sync work. e.g. Lets say in AD if someone changes First and Last name then I can defined rule into provisioning system such that First Name update
    only getting pulled not Last Name.

    Thanks! Alok



  • 2.  Re: How to define correlation rule / reverse synchronization to define mapping for only selected attribute of CORP store against AD endpoint

    Posted Sep 15, 2018 01:26 PM

    I got solution of first part where i have to define custom attribute mapping within endpoint to get update of only selected attribute. But still second part is an issue. 

     

    I dont want new account creation within endpoint container of provisioning, in case account exist at AD but not in provisioning. 

     

    Thanks! Alok



  • 3.  Re: How to define correlation rule / reverse synchronization to define mapping for only selected attribute of CORP store against AD endpoint
    Best Answer

    Broadcom Employee
    Posted Sep 17, 2018 06:47 AM

    Hi Alok

     

    You can't avoid the second part. The endpoint container of the Provisioning Server is simply a view of the AD accounts that the Provisioning Server knows about through either explore (and optional correlate) or through actual account creation. The Provisioning Server can not "un-know" an AD account once it has discovered it.

     

    The only possible option would be to delete the account on the Provisioning Server, but configure the AD endpoint in the Provisioning Server such that account deletion doesn't actually delete the account on the actual AD endpoint. But this is a global setting, so it could break your "leaver" use case, if you have a requirement to actually delete AD accounts of leavers.

     

    Alternatively, insist that the AD administrator puts all AD accounts that shouldn't be imported into the Provisioning Server in some special OU that you can exclude from the explore definition. Or maybe make use of filtering during the explore process to exclude these accounts. This assumes that you know in advance which accounts to exclude.

     

    Pearse



  • 4.  Re: How to define correlation rule / reverse synchronization to define mapping for only selected attribute of CORP store against AD endpoint

    Posted Sep 18, 2018 02:05 AM

    So it means there is no way to ignore data flow from endpoint to IDM, good. I was looking for something which can suppress backward data flow.

     

    Thanks! Alok