Why do some attributes sync on a policy change, while some don't?
search cancel

Why do some attributes sync on a policy change, while some don't?


Article ID: 53594


Updated On:


CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



When applying a role to a user, certain attributes that may have changed in the policy don't propagate to the account.


Admin has the concept of Initial VS. Capability attributes. Initial attributes will only be set the first time a policy/role is applied to a Global user. Capability attributes will 'sync' each time the policy is update and synced with the user.

You can find out which attribute are capability type attributes by dumping the parser files.

Admin comes with a utility for dumping parser files called dumpptt.exe. The parser files are located in your %ETAHOME%\data folder.

The usage is as follows:

Usage: dumpptt [-c] [-a] [-f] [-b] [-t parser_table] [-of output_file ]
    -c               : Show account capability attributes
    -a               : Show classes on which ACL can be set
    -a -f            : Show classes and attributes on which ACL can be set
    -f               : Show full definition.
                       (By default, only most useful info)
    -b               : Show brief classes definition.
    -t  parser_table : Specify the parser table to be dumped
    -of output_file  : Specify the output file name

Here's an example of a dump of the Active Directory parser file:

%ETAHOME\data:\>dumpptt -t adsparse.ptt -c -of adsdump.txt

This will output a list of the attributes that are capability attributes. Here's the contents on the adsdump.txt:

Listing Account Capability Attributes

ActiveDirectory(Active Dir. Account):

    Attribute Name         Description                                                               Multi-valued SyncRemoveValues
    ---------------------  ------------------------------------------------------------------------  ------------ ----------------
    accountExpires         Account expiration date                                                    
    GroupMembership        List of groups user is in                                                 Multi-valued SyncRemoveValues
    logonHours             Permitted user-login times                                                 
    altSecurityIdentities  Security Identity Mapping                                                 Multi-valued SyncRemoveValues
    ADSwtsProfilePath      Terminal Services: Terminal Server Profile Path                            
    ProxyAddresses         List of email addresses (Exchange2000 only)                               Multi-valued SyncRemoveValues
    submissionContLength   Maximum size of an outgoing message (Exchange2000 only)                    
    delivContLength        Maximum size of an incoming message (Exchange2000 only)                    
    authOrig               Accept message from Mailbox (Exchange2000 only)                           Multi-valued SyncRemoveValues
    unauthOrig             Refuse message from Mailbox (Exchange2000 only)                           Multi-valued SyncRemoveValues
    msExchRecipLimit       Maximum number of recipients for outgoing message (Exchange2000 only)      
    mDBUseDefaults         Use Default values for Storage Quotas (Exchange2000 only)                  
    mDBStorageQuota        Issue warning at (KB) (Exchange2000 only)                                  
    mDBOverQuotaLimit      Prohibit send and receive at (KB) (Exchange2000 only)                      
    mDBOverHardQuotaLimit  Prohibit send at (KB) (Exchange2000 only)                                  
    garbageCollPeriod      Days deleted items should be kept (Exchange2000 only)                      
    deletedItemFlags       Provides from deleting permatently items - if true - (Exchange2000 only)   
    MailboxRights          Mailbox Rights (Exchange2000 only)                                        Multi-valued SyncRemoveValues
    securityProtocol       Security Protocol flag (Exchange2000 only)

If you omit the '-c' switch, you will get a listing of all the attributes and their properties. If you add the '-f' switch, you will get additional info concerning the attribute, like this:

ATTRIBUTE (LDAP Name) eTADSDirectory::eTADSDirectoryName
        User-friendly Name : name
        Description: eTrust Active Directory Name
        ProhibitedCharacters: /\\?|*:<>"}{][,
        MinValue: (null)
        MaxValue: (null)
        DefaultValue: (null)
        MinLength: 1
        MaxLength: 100
        EditType: 0 [string]
        IsSpaceAllowedIn: yes
        IsAsciiOnly: no
        IsMultiValued: no
        Case: 0 [insensitive]
        Values: <NONE>
        ExcludedValues: <NONE>
        OrWords: <NONE>
        VerbReqs: copyto, tocopy, copyallto, tocopyall, renameto, torename, add, !inselect, !toupdate
        Group: (null)
        Label: (null)
        IsHidden: no
        IsRelationalOperatorAllowedWith: no
        IsEncrypted: no
        IsIndexed: yes
        IsBaseAttribute: no
        Searchable: yes
        Incremental: no
        Obscured: no
        Deprecated: no
        DataLocation: 3 [BOTH]
        AuthOps: 0x00 (NONE)
        AuthAlias: (null)
        DependsOn: <NONE>


Component: ETRADM