Changes that you make to account templates affect existing accounts, for example, if you change the value of a capability attribute, the corresponding account attribute is updated, if necessary, to be in synchronization with the account template attribute value. 

Release : 14.x

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

In general, if you update a template that uses weak synchronization, CA Identity Manager updates capability attributes as follows:

>If a number field is updated in an account template and the new number is greater than the number in the account, CA Identity Manager changes the value in the account to match the new number.

>If a check box was not selected in an account template and you subsequently select it, CA Identity Manager updates the check box on any account where the check box is not selected.

>If a list is changed in an account template, CA Identity Manager updates all accounts to include any value from the new list that was not included in the account's list of values.

>If an account belongs to other account templates (whether those templates use weak or strong synchronization), CA Identity Manager consults only the template that is changing. This action is more efficient than checking every account template. Because weak synchronization only adds capabilities to accounts

In other words Weak Sync is all about compounding privileges NOT deleting them.  

However, when account changes are made,  the behavior of Weak Sync capability attributes is dependent upon whether the attribute is a single valued or multi-attribute.

For example, in the case of a Siebel endpoint the attributes
 

SBLUserPosition User's position Multi-valued

SBLUserPrimaryPosition User's primary position

SBLUserResponsibility User's Responsibility Multi-valued SyncRemoveValues

SBLUserPrimaryResponsibility User's Primary Responsibility

SBLUserOrganization User's Organization Multi-valued

SBLUserPrimaryOrganization User's Primary Organization

>Multi-valued Attributes: These are essentially lists and any extra values are added to the list and any issues already associated with the account remain.

>Single-Valued Attributes: These values may be replaced during a weak sync.  If the new value is lexicographically larger in value between the setting in the template and the value associated with the account it will be eligible for sync else the original value will remain on Account.

Multi-valued SyncRemoveValues Attributes:

Whether weak or strong synchronization is used affects whether account capabilities granted earlier when an account template was assigned to an account are taken away when that that account template is later removed. With strong synchronization, a capability granted by an account template, such as a group membership or higher quota, will be taken away (group membership removed or quota lowered) if none of the account templates remaining on the account prescribe that capability. However, with weak synchronization, typically the account is unchanged because the Provisioning Server does not distinguish between on-demand extra capabilities and capabilities granted through account templates.

The exception to this rule is for certain multi-valued capability attributes designated as SyncRemoveValues attributes. A simple multi-valued attribute representing a collection of values assigned to the account (a group membership list, say), will typically be listed as a SyncRemoveValues attribute. For these attributes, the weak synchronization action that occurs while removing an account template from an account will remove values prescribed by the account template that is being removed - as long as that value is not also prescribed by one of the remaining account templates.

In summary:

Strong sync is the only way to guarantee that privileges are truly assigned and synchronized with a user account, but they do restricted privilege propagation outside of the template.  Weak sync offers the benefit of compounding privileges but changes are not always sync'd.