In our IM environment, the Admin Role is associated with User's group membership, sometimes we assign Admin Role to an IM user by directly modifying the associated group membership in the user store. However, as IM is caching the Admin Role membership, it's unable to be aware of the change made by a third party tool directly in the user store. Hence how do we let IM to refresh the Admin Role cache and reflect the User's Admin Role membership correctly?
Environment
Release: CA Identity Manager Component:
Resolution
As Modify Admin Role task can refresh the role membership cache. Hence we can use Modify Admin Role task to modify the involved Admin Role, and submit the task without making any change, then IM server will refresh the role membership cache and reflects the user's Admin Role correctly.
In order to let these happen automatically, we can create a Bulk Task to trigger the Modify Admin Role task automatically.
On Modify Admin Task: Create Bulk Task Definition, Switch to Tabs tab
Click the pencil icon next to Profile: BulkTaskProfile
On Configure Profile, Select the following on Object Types: - Admin Role
Submit the changes
Create Bulk Task Definition, for example:
Name: Trigger Modify Admin Role Task
Object Type: Admin Role
On Population tab, adjust Object Filter accordingly. Note: Please form up a different Filter other than "(all)" if there are only a few Admin Roles in your concern.
Submit the changes
Execute Bulk Task
Bring up Execute Bulk Task, select "Schedule new job" on Task Recurrence, for example - Job Name: Refresh Admin Role Cache - Daily schedule - Every 1 Day - Execution Time: 00:00
On Bulk Task Execution, select Bulk Task Definition: Trigger Modify Admin Role Task
Submit all the changes
After these changes, the IM server will refresh the Admin Role membership cache at every 0:00 am.