Question:
I'm attempting to use an IM Reverse Sync Policy to detect group memberships added to AD Accounts outside of the IM Application, and rejecting them does not remove the group membership from the AD Account. What am I doing wrong?
Release:
Component: IDMGR
Follow these steps:
This process flow could have the following potential problem spots:
- The endpoint did not have groupMembership in the Endpoint Attribute Mappings
- An Explore was not performed because the groupMembership was added to the account on the native ADS system
- Inbound Notifications are not enabled in the Provisioning Server or some failure in writing the notifications to the Provisioning Repository’s notify DSA
- Inbound Notifications are suspended in the Provisioning Server and not being sent to IM, or the IM Server cannot be reached, or the wrong IME is configured to receive the notification, or the notification process is stuck retrying a failing “bad” notification, or the notification queue is large and there is a delay in process the notification of interest
- The IM Reverse Sync Policies does not have proper matching value defined
Note: in the case of an AD Account groupmembership the group value would be the IAM Handle format so the values would be something like the following:
ADSGroup=Administrators,ADSContainer=Builtin,EndPoint=My_Endpoint,Namespace=ActiveDirectory,Domain=im,Server=Server
ADSGroup=My_Group,ADSOrgUnit=My_OU,EndPoint=My_Endpoint,Namespace=ActiveDirectory,Domain=im,Server=Server
If using Endpoint Attribute Mappings and/or IM Reverse Sync Policies, consider these important limitations, as these features could introduce additional unexpected problems.
1) Both Endpoint Attribute Mappings and Custom Correlation Rules alter the amount of data retrieved both during an Explore and stored on the account reference object in the Provisioning Repository. This could lead to Explores taking longer and/or needed sizing of the Provisioning Repository.
2) When the Provisioning Server receives a request to view an account, it first retrieves whatever attribute data is stored in the Provisioning Repository. Because Endpoint Attribute Mappings and Custom Correlation Rules alter the stored attributes, these view account requests start to display the information stored on the last Explore rather than the current data on the endpoint, which may be different. This “stale” data is not be refreshed until running the next Explore, as long as the attribute in question is still listed either on the Endpoint Attribute Mappings or Custom Correlation Rules. If the attribute in question is not part of the Endpoint Attribute Mappings or Custom Correlation Rules, then that “stale” data will not be refreshed or removed. This case requires a manual cleanup of the Provisioning Repository (that is, port 20391 connection) to clean up data stored on that previously mapped attribute.
3) Running an Explore operation frequently and/or against endpoints with many objects generate a large volume of inbound notifications in the queue that require processing. The larger the queue, the longer the delay between when an operation that was initiated/completed outside of the IM Server makes it to the IM Server to be processed, and can impact the resources needed by the systems.
4) Running an Update operation pushes the mapped account attribute value currently stored in the Provisioning Repository to its corresponding provisioning user attribute. These provisioning user attribute updates will not be pushed down to other associated accounts as part of this update. Updating the provisioning user generates its own inbound notification sent to the IM Server, triggering a Provisioning Modify User task to update the IM userstore attribute value mapped to this provisioning user attribute.
5) The IM Reverse Sync Policy Reject will undo the account attribute change so that it is back to being what it was prior to the update caused by the Explore. However, the IM Reverse Sync Policy will not undo the provisioning user and IM userstore attribute value if that also has been updated, thus a rejected account value may still persist on the user objects.
6) The default IM task setting for Account Synchronization on most tasks is “Task Completion”. This causes a compare to take place during the SynchronizeAttributesWithAccountsEvent between the IM userstore user and the corresponding provisioning user for the IME mapped attributes. This in turn treats the IM userstore user as the authoritative source, and push that value to the provisioning user, possibly pushing the value down to associated accounts.
The risk of undesired values being passed around could increased if:
Please review KB 36216 for a more detailed explanation on the IM Task Settings (User Synchronization and Account Synchronization).