CA Identity ManagerCA Identity GovernanceCA Identity PortalCA Identity Suite
We have configured a reverse sync modify policy to reject changed made on the endpoint directly (ie not via Identity Manager). Testing it before implementing in Production, we can see in View Submitted Tasks that the policy is triggered correctly, however, the new value is retained, rather than rejected as per the policy configuration.
Testing was done using Provisioning Manager - setting a different value on the account directly. However, by doing so, we are making Identity Manager / Provisioning aware of this change and the new value is retained, leaving no "original / previous" value to revert to when the policy is executed. We can see this clearly when enhancing logging levels for ims.policyxpress category which will show no rejected values available [REVERSE:DETECTION:Modify Account] calculated data value of element "rejectedValues":
Identity Manager 14.x
In order for the reverse sync policy to work, the change has to come from the endpoint itself, not from any part of IM Tools, Provisioning Manager included. We need to make a change to the user either via the endpoint (or an LDAP tool, where relevant), then kick the the E&C / ldapsearch command. We should not use IM UI or Provisioning Manager to make that change directly on the account.
Reverse sync policy relies on its current stored value to restore the endpoint value, in case of rejection. When we use Provisioning Manager to change the value, there is no other, previous value for it to restore to, hence it seems not to be working.