The difference between propagation and synchronization in provisioning and corresponding etautil commands
Article ID: 219916
Updated On:
Products
Issue/Introduction
With a large number of the Unix v2 accounts associated with account template, how we can use etautil to update password expire days in those account via account template change.
Environment
Release : 14.x
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
Resolution
There are two mechanisms in the IM Provisioning Server that are used to pass account template changes on to the accounts: synchronization and propagation.
LDAP requests and corresponding etautil command parameters are very similar for the above mechanisms, but results are different and this may be quite confusing.
1) Synchronization is triggered by an LDAP request that modifies a single attribute in an account template: eTSyncAccounts="1", for instance:
etautil -d im -u etaadmin -p <password> -DYN update "'eTDYNPolicyContainerName=DYN Policies,eTNamespaceName=UNIX v2'" eTDYNPolicy eTDYNPolicyName="LINUX TEMPLATE" to eTSyncAccounts="1"
Synchronization affects only capable attributes, any other changes are not taken into consideration. The result of synchronization depends on account template synchronization mode - weak or strong.
Please see this document for the details: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/administrating/managed-endpoints-and-provisioning/managed-endpoint-accounts/synchronize-users-account-templates-and-roles/synchronize-endpoint-accounts-with-account-templates.html
Password expiration in Unix v2 is not a capable attribute, and thus changes to that attribute cannot be synchronized with accounts.
2) Propagation is triggered by and LDAP request that modifies a number of attributes in an account template, including eTSyncAccounts="1", for instance:
etautil -d im -u etaadmin -p <password> -DYN update "'eTDYNPolicyContainerName=DYN Policies,eTNamespaceName=UNIX v2'" eTDYNPolicy eTDYNPolicyName="LINUX TEMPLATE" to eTDYN-str-multi-12="60" eTSyncAccounts="1"
Propagation operation passes all the changes in account template on to the accounts. In the above example the password expiration (eTDYN-str-multi-12) value will be propagated to all the Unix accounts associated with the modified template.
Please note that changes to capable attributes in an account template are synchronized with the accounts regardless of when those changes were made.
In contrast to that propagation operation takes only the changes from the LDAP request that triggered propagation.
Feedback
