SCIM Connector - Application Roles not removed on Provisioning Role removal
Article ID: 113532
CA Identity ManagerCA Identity GovernanceCA Identity Portal
When a Provisioning Role is removed from the global user the Application Roles (account Role attribute mapped to eTDYN-str-multi-c-01) are not removed from the associated account.
Context: IDSVA 14.1.0.CP5, CentOS. SCIM Connector > CA API Gateway (Rest/Json to Soap/xml transformation) > Custom Soap Application Web Service.
Settings: Endpoint / "Accounts will be deleted from the provisioning directory, but left unchanged on the managed endpoint". Templates with weak sync. Domain Configuration / Synchronization / "Remove Account Template Values From Accounts" = yes.
This is a normal behavior as designed, when you remove the last Provisioning Role (including a template against an endpoint) from a global user, there is no Synchronization algorithm to consider the capability account values. In this account deletion perspective, no Synchronization algorithm is considered. Even if you set "Accounts will be deleted from the provisioning directory, but left unchanged on the managed endpoint". This behavior is generic inside the provisioning framework and is not related to any endpoint type. By the "last Provisioning Role" I mean no one else Provisioning Role linked to a template against this same endpoint remains. Of course if another Provisioning Role linked to a template against this same endpoint remains then we are no more into an account deletion process.