search cancel

Reverse Sync Policy does not reject values

book

Article ID: 188324

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

We have configured a reverse sync modify policy to reject changed made on the endpoint directly (ie not via Identity Manager).
Testing it before implementing in Production, we can see in View Submitted Tasks that the policy is triggered correctly, however, the new value is retained, rather than rejected as per the policy configuration.

Environment

Identity Manager 14.x

 

Cause

Testing was done using Provisioning Manager - setting a different value on the account directly. However, by doing so, we are making Identity Manager / Provisioning aware of this change and the new value is retained, leaving no "original / previous" value to revert to when the policy is executed.
We can see this clearly when enhancing logging levels for ims.policyxpress category which will show no rejected values available
[REVERSE:DETECTION:Modify Account] calculated data value of element "rejectedValues":

Resolution

In order for the reverse sync policy to work, the change has to come from the endpoint itself, not from any part of IM Tools, Provisioning Manager included.
We need to make a change to the user either via the endpoint (or an LDAP tool, where relevant), then kick the the E&C / ldapsearch command. We should not use IM UI or Provisioning Manager to make that change directly on the account.

Reverse sync policy relies on its current stored value to restore the endpoint value, in case of rejection. When we use Provisioning Manager to change the value, there is no other, previous value for it to restore to, hence it seems not to be working.