Symantec IGA

Expand all | Collapse all

Operation Binding - Force Sync Role

  • 1.  Operation Binding - Force Sync Role

    Posted 07-09-2020 11:04 AM

    We having a problem with a connector jdbc. When an account is created is associated a provisioning role with a account template which include a profile X, but when we need to lock this account we use a  operation binding to send a update to database and change this profile in the endpoint to profile Y. When the user is unlocked it should lose the profile Y received before and receive the same profile X in provisioning role. We tried force an user role sync but did not work. Somebody know if is possible force or get the profile of provisioning role using operation binding?



  • 2.  RE: Operation Binding - Force Sync Role

    Posted 07-09-2020 11:45 AM
    Not fully understanding what is you have configured.

    Some things to consider which would impact behavior:

    1. Is the profile field a single-valued or multi-valued attribute
    2. Is the profile field set as a synchronized (i.e. capability) attribute
    3. Whether the templates assigned are set as Weak Sync or Strong Sync templates
    4. How the existing vs new value compare lexicographical

    If others in the community cannot assist further then perhaps you will want to raise a support case so that a better understanding of the above can be taken into account along with log analysis.

  • 3.  RE: Operation Binding - Force Sync Role

    Posted 07-09-2020 12:08 PM
    Hi Kenneth,

    The profile field is a multi-value attribute, it is set as a scynchronized attribute, and the account template is assigned as strong sync. In the endpoint there is no lock/unlock attribute, to lock an account is necessary set a specific profile for this cases, but to unlock the old profile should be reassigned. I will open a support case how you suggested!

    Thanks for helping!


  • 4.  RE: Operation Binding - Force Sync Role

    Posted 07-10-2020 02:05 AM
    Hello Wagner,

    Operation bindings are completely on connector side, while provisioning roles operate on IM server - provisioning server level, therefore you cannot access opbindings from prov roles.
    As your profile is capable attribute, and account template configured with strong sync, synchronization should result in exact match of a profile on an account and on a template.
    Please check the account after locking. Does it actually have a different profile, or it'd require re-explore to refresh its state. The difference between an account data in prov directory and on endpoint may be the cause.


  • 5.  RE: Operation Binding - Force Sync Role

    Posted 07-10-2020 10:16 AM
    Hi Dmytry,

    I undesrtood! I did some tests, I created an account, locked and unlocked the user but the profile did not change, but it just worked when I did the sync account with templates, after sync I could locked and unlocked and the profile changed according to provisioning role. I should like to do the sync automatic during the task execution without have to force manualy. Thanks for helping!