There are configuration settings either on a task level or for the entire environment/installation which will alter product execution. While there are no set recommendations, understanding these settings will aid in trying to determine how best to configure the application for the environment that it is running in.
Background:
IM Tasks contain settings for User Synchronization and Account Synchronization. These settings will control when Identity Policies are evaluated as well as when and how IM will perform outbound requests to the Provisioning Server. In addition there are other settings which can aid in serializing some requests from the IM Server to the Provisioning Server.
Release: 14.4
Component: IDMGR
User Synchronization (default value on most tasks is OnTaskCompletion)
The User Synchronization setting only impacts Identity Policy evaluations so the setting really should be thought of as the "Identity Policy Evaluation" setting instead.
On Task Completion - The SynchronizeUserEvent will occur after all primary and secondary events are completed but before the SynchronizeAttributesWithAccountsEvent (if there is one)
Account Synchronization (default value on most tasks is OnTaskCompletion)
The Account Synchronization setting only impacts the outbound synchronization to the Provisioning Server so the setting really should be thought of as the "Provisioning Outbound Synchronization" setting instead. There is no right value to set this to.
Note: If the IM user store is not the authoritative source of data then the compare that is done that will augment the change-set along with the resending of the %ENABLED_STATE% could update the Provisioning Global Users (and associated accounts) unexpectedly which could be a bad thing. Also attempting to use PX Policies to further manipulate newly created accounts is not possible since those accounts would be created after the secondary events generated by the PX Policies.
Note: If there are many PX Policies configured to execute then there will be many more secondary events generated and this setting will lead to much more concurrent transactions to the Provisioning Server which could be a bad thing.
Other settings which will impact the outbound requests from the IM Server to the Provisioning Server include:
Accumulated Provisioning Roles (default value is not enabled)
By default every Provisioning Role change issued by the IM Server to the Provisioning Server will be sent in a separate transaction via the AssignProvisioningRoleEvent and RemoveProvisioningRoleEvent. This allows for separate workflows to be configured for each role change, however this can also lead to concurrency problems if there are two transactions that are attempting to act on the same endpoint/account. In the IM Management Console under the IME->Advanced Settings->Provisioning the "Enable Accumulation of Provisioning Role Membership Events" setting can be enabled which will change the event into AccumulatedProvisioningRolesEvent and group the Assign Provisioning Roles together and group the Remove Provisioning Roles together. This will help prevent the concurrency problems but will lead to a loss of separate workflow functionality.
Allow Concurrent Modification on Same Global User (default value is Yes)
By default the Provisioning Server will allow multiple incoming modify requests to a Provisioning Global User to be completed concurrently which could lead to race conditions. There is a setting in the Provisioning Manager under System->Domain Configuration->Identity Manager Server->Allow Concurrent Modifications on Same Global User that can be set to No to help serialize these incoming requests. This should be set to No in most cases with the only exception being if there are any custom Provisioning Program Exits in place that are accessing the Provisioning Global User.