Symantec IGA

We are using Identity Policies which will assign/remove provision roles based on user attributes. We are using LDAP filters in policy member rule and filter is failing to return users when attributes doesn't have any values. This was causing issues of not assigning/removing the provisioning roles.

Example: (&(&(locationnumber=0551))(|(jobtitlecode=3515)(jobtitlecode=60512)(jobtitlecode=10431)(jobtitlecode=3514)(jobtitlecode=3516)(jobtitlecode=60511)(jobtitlecode=60055)(jobtitlecode=60094)(jobtitlecode=3575)(jobtitlecode=60510)(jobtitlecode=10142)(jobtitlecode=60056)(jobtitlecode=60093)(jobtitlecode=3517)(jobtitlecode=60509)(jobtitlecode=3500)(jobtitlecode=60508)(jobtitlecode=10143)(jobtitlecode=55051))(!(UserEmpType=CO)))

Above filter is not returning the users who doesn't have value in attribute UserEmpType. The same query will return users from Active Directory but not from CA Directory (user store).

Does any one faced this issue earlier with CA Directory?

Support case 01259507 was also opened for this same question. That case was given the following response:

Please try the following filter in your Identity Policy if you want it to trigger for users that have tgtotsystem set to workday and who also have some value set in tgtUserEmpType and let me know if it solves the problem.

where tgtsotsystem equals workday
and tgtUserEmpType not equals *

In the use case originally provided, CA Directory is working as design. If the attribute value is null/blank, it will not return anything. Here is simplest way to confirm.

In the following entry there is no 'displayName' populated.

When a search is run where the filter has displayName in it, you get nothing in return.

Now I add displayName as 'test' within that entry.

Re-run the same search: