Symantec Identity Manager Synchronization issue even though PASSWORD_DATA is NOT mapped
search cancel

Symantec Identity Manager Synchronization issue even though PASSWORD_DATA is NOT mapped

book

Article ID: 385189

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

The PASSWORD_DATA is not mapped in the Management Console but still triggering synchronization.

From the latest etatrans logs,  PASSWORD_DATA is still mapped between the IM User Store and Provisioning Store. This should be removed as not used by IMPS and creates an overhead. This is done from the Management Console / Advanced settings / Provisioning menu

20241220:110637:TID=1f4b40:Add       :D703:E701:P:     eTIMPasswordData:  H4sIAAAAAAAAAGXMsQrCUAyF4XfJfAddswri4OAgOIhDJGkNpDeS9LaI+O
20241220:110637:TID=1f4b40:Add       :D703:E701:P:+    7aTXH9/sN5wiSR6hVwXcC817oltRaSgKuPUI77RY86CGBtZgXuIZN6y7+wrA+nzY1qL9/OmnQ14Z8

20241220:110637:TID=1f4b40:Add       :D703:E701:P:+    Typw9eKc5ejwAz5cCg7N2KgzYkaW83ml25DyfAAAA

Environment

IM 14.5.1 on RHEL 8.4

Cause

The IDM sends the PASSWORD_DATA to IMPS even though this attribute is not mapped between the User Store attribute and Provisioning Store attribute.

Resolution

Ensure the provdir xml has the following definition
<ImsManagedObjectAttr physicalname="eTIMPasswordData" description="Used by password policies" displayname="Password Data" valuetype="String" wellknown="%PASSWORD_DATA%" maxlength="0" hidden="true">
            <DataClassification name="sensitive"/>
        </ImsManagedObjectAttr>

Then create a user with an empty provisioning role and verify in etatrans.log that password data is being sent to IMPS even though there is no mapping in the management console.

An HF is available to resolve this issue. Please raise a support ticket for the HotFix.

 

 

Additional Information

Reference DE#DE624003

HF-DE624003+-+DE623923.zip

Powered by Wolken Software