search cancel

SCIM Connector - Application Roles not removed on Provisioning Role removal

book

Article ID: 113532

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

When a Provisioning Role is removed from the global user the Application Roles (account Role attribute mapped to eTDYN-str-multi-c-01) are not removed from the associated account.

Environment

Context:
IDSVA 14.1.0.CP5, CentOS.
SCIM Connector > CA API Gateway (Rest/Json to Soap/xml transformation) > Custom Soap Application Web Service.

Settings:
Endpoint / "Accounts will be deleted from the provisioning directory, but left unchanged on the managed endpoint".
Templates with weak sync.
Domain Configuration / Synchronization / "Remove Account Template Values From Accounts" = yes.

Cause

This is a normal behavior as designed, when you remove the last Provisioning Role (including a template against an endpoint) from a global user,
there is no Synchronization algorithm to consider the capability account values.
In this account deletion perspective, no Synchronization algorithm is considered.
Even if you set "Accounts will be deleted from the provisioning directory, but left unchanged on the managed endpoint".
This behavior is generic inside the provisioning framework and is not related to any endpoint type.
By the "last Provisioning Role" I mean no one else Provisioning Role linked to a template against this same endpoint remains.
Of course if another Provisioning Role linked to a template against this same endpoint remains then we are no more into an account deletion process.

Resolution

Wad. See explanation.