CA Identity Manager Admin Task modifies Provisioning Multi-valued Custom Field attribute repeatedly.
search cancel

CA Identity Manager Admin Task modifies Provisioning Multi-valued Custom Field attribute repeatedly.


Article ID: 41301


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On



The "Modify User" CA Identity Manager Admin Task attempts to modify the Provisioning Multivalued Custom Field 01 attribute on each Submission, even if its mapped corporate User Store attribute has not been changed and even if values are matching.



Applies to all the specified CA Identity Manager versions.



From the Provisioning server etatrans log analysis, it can been identified that the "eTCustomField01" multi-valued attribute modification is triggered by the Outbound Synchronization, well set values in the order they are reported by the corporate "colleagues" multi-valued attribute and completes successfully. 

However the data was not modified and is not effective within the Provisioning Directory itself (handled by CA Directory).

This is because in most cases attribute values are officially unordered and so Provisioning Directory default configuration does not care of values ordering.


Note this trouble comes from the attributes (corporate/provisioning) ordering de-synchronization which is caused by modifications done externally of CA Identity Manager solution. 

When both attributes are handled in a similar manner only through CA Identity Manager solution then attributes mapping configuration should be enough to keep data synchronized.



Release: CAIDMB99000-12.6.7-Identity Manager-B to B


Steps to reproduce :

1- From CA Identity Manager Management Console, an Identity Manager Environment / Advanced Settings / Provisioning is configured with Attribute Mappings.

 As a sample, Corporate User Store "colleagues" Attribute is mapped with Provisioning "eTCustomField01" Attribute.

 Both attributes are with "Multi-Valued" properties equals 'true' in their own CA Identity Manager Directories definition.

 Initially, we are assuming both attributes are empty (no value).

2- Verify the "Modify User" Identity Manager Admin Task is defined with "Account Synchronization" set to "On task completion".

3- Submit the "Modify User" Identity Manager Admin Task to set several different values on the "colleagues" User's attribute.

As a result, the User's Provisioning "eTCustomField01" attribute is filled with these values as expected.

4- Modify the User's "colleagues" Attribute by keeping the values but changing the order directly within the Corporate User Store (outside of CA Identity Manager).

5- Submit the "Modify User" Identity Manager Admin Task to change any of the User's attributes else "colleagues" one.

As a result, the "Modify User" Identity Manager Admin Task event details report changed the User's Provisioning "eTCustomField01" attribute values with the ones from the "colleagues" Corporate User Store attribute (step -4) while values from both attributes are matching.

6- ReSubmit the same "Modify User" Identity Manager Admin Task again and again is resulting with same behavior attempting to change the User's Provisioning "eTCustomField01" attribute.




Change the Provisioning Directory configuration by defining CA Directory 'keep-order-of-values' setting.

Within the Provisioning DSA (CA Directory DXserver/config/settings/impd-co.dxc), you would need to define the "eTCustomField01" Provisioning attribute within this setting (add the line if setting does not exist). 

set keep-order-of-values = eTCustomField01; 

Note, this setting has to be defined for all Provisioning Directory Servers and CA Directory DSA.  Recycle to make the change effective ('dxserver stop impd-co', 'dxserver start impd-co').


Once this configuration is done, you should still see the "eTCustomField01" modification when the data is different from "colleagues" (including order matching) as per the Outbound Synchronization feature.

However the modification should then be effective within the Provisioning Directory and occurs only once (else another modification is done on "colleagues").

Set keep-order-of-values Command—Keep Order of Values for Attribute Types

The set keep-order-of-values command lets you specify attribute types whose values must be kept in the order in which they were added.

Note: This command will not work for operational attributes, distinguished values or object class values.

This command has the following format:

set keep-order-of-values = attr-list;

A comma-separated list of the attribute types whose values must be kept in the order in which they were added.

Alternatively, specify "none" if you do not want to keep the order in which values are added for any attribute type.