I need your help to define correlation rule / reverse synchronization, where i want to update only few attribute in CORP store from Ad end point when correlation rule executes. As well when explore/correlate rule executesi don’t want any new user creation in CA system if explore and explore finds any new account at end point which is not present into corp store.
Right now I have defined a corelation attribute global user by which search at end point done and associated account is getting updated.
Problem here is :-
My co-relation is creating user into provisioning system under endpoint section if user is present at end point but not in provisioning system.
Please note: this user creation is only under endpoint not as a global user
Next one, right now i dont know how to define set of attribute for which only reverse sync work. e.g. Lets say in AD if someone changes First and Last name then I can defined rule into provisioning system such that First Name updateonly getting pulled not Last Name.
I got solution of first part where i have to define custom attribute mapping within endpoint to get update of only selected attribute. But still second part is an issue.
I dont want new account creation within endpoint container of provisioning, in case account exist at AD but not in provisioning.
You can't avoid the second part. The endpoint container of the Provisioning Server is simply a view of the AD accounts that the Provisioning Server knows about through either explore (and optional correlate) or through actual account creation. The Provisioning Server can not "un-know" an AD account once it has discovered it.
The only possible option would be to delete the account on the Provisioning Server, but configure the AD endpoint in the Provisioning Server such that account deletion doesn't actually delete the account on the actual AD endpoint. But this is a global setting, so it could break your "leaver" use case, if you have a requirement to actually delete AD accounts of leavers.
Alternatively, insist that the AD administrator puts all AD accounts that shouldn't be imported into the Provisioning Server in some special OU that you can exclude from the explore definition. Or maybe make use of filtering during the explore process to exclude these accounts. This assumes that you know in advance which accounts to exclude.
So it means there is no way to ignore data flow from endpoint to IDM, good. I was looking for something which can suppress backward data flow.