Symantec IGA

Hi, 

We having a problem with a connector jdbc. When an account is created is associated a provisioning role with a account template which include a profile X, but when we need to lock this account we use a  operation binding to send a update to database and change this profile in the endpoint to profile Y. When the user is unlocked it should lose the profile Y received before and receive the same profile X in provisioning role. We tried force an user role sync but did not work. Somebody know if is possible force or get the profile of provisioning role using operation binding?

Regards

------------------------------
Wagner
------------------------------

Not fully understanding what is you have configured.

Some things to consider which would impact behavior:

1. Is the profile field a single-valued or multi-valued attribute
2. Is the profile field set as a synchronized (i.e. capability) attribute
3. Whether the templates assigned are set as Weak Sync or Strong Sync templates
4. How the existing vs new value compare lexicographical

If others in the community cannot assist further then perhaps you will want to raise a support case so that a better understanding of the above can be taken into account along with log analysis.
Original Message:
Sent: 07-09-2020 11:04 AM
From: Wagner Reis
Subject: Operation Binding - Force Sync Role

Hi,

We having a problem with a connector jdbc. When an account is created is associated a provisioning role with a account template which include a profile X, but when we need to lock this account we use a  operation binding to send a update to database and change this profile in the endpoint to profile Y. When the user is unlocked it should lose the profile Y received before and receive the same profile X in provisioning role. We tried force an user role sync but did not work. Somebody know if is possible force or get the profile of provisioning role using operation binding?

Regards

------------------------------
Wagner
------------------------------

Hi Kenneth,

The profile field is a multi-value attribute, it is set as a scynchronized attribute, and the account template is assigned as strong sync. In the endpoint there is no lock/unlock attribute, to lock an account is necessary set a specific profile for this cases, but to unlock the old profile should be reassigned. I will open a support case how you suggested!

Thanks for helping!

------------------------------
Wagner
------------------------------

Original Message:
Sent: 07-09-2020 11:44 AM
From: Kenneth Verrastro
Subject: Operation Binding - Force Sync Role

Not fully understanding what is you have configured.

Some things to consider which would impact behavior:

1. Is the profile field a single-valued or multi-valued attribute
2. Is the profile field set as a synchronized (i.e. capability) attribute
3. Whether the templates assigned are set as Weak Sync or Strong Sync templates
4. How the existing vs new value compare lexicographical

If others in the community cannot assist further then perhaps you will want to raise a support case so that a better understanding of the above can be taken into account along with log analysis.
Original Message:
Sent: 07-09-2020 11:04 AM
From: Wagner Reis
Subject: Operation Binding - Force Sync Role

Hi,

We having a problem with a connector jdbc. When an account is created is associated a provisioning role with a account template which include a profile X, but when we need to lock this account we use a  operation binding to send a update to database and change this profile in the endpoint to profile Y. When the user is unlocked it should lose the profile Y received before and receive the same profile X in provisioning role. We tried force an user role sync but did not work. Somebody know if is possible force or get the profile of provisioning role using operation binding?

Regards

------------------------------
Wagner
------------------------------

Hello Wagner,

Operation bindings are completely on connector side, while provisioning roles operate on IM server - provisioning server level, therefore you cannot access opbindings from prov roles.
As your profile is capable attribute, and account template configured with strong sync, synchronization should result in exact match of a profile on an account and on a template.
Please check the account after locking. Does it actually have a different profile, or it'd require re-explore to refresh its state. The difference between an account data in prov directory and on endpoint may be the cause.

Dmytry
Original Message:
Sent: 07-09-2020 12:08 PM
From: Wagner Reis
Subject: Operation Binding - Force Sync Role

Hi Kenneth,

The profile field is a multi-value attribute, it is set as a scynchronized attribute, and the account template is assigned as strong sync. In the endpoint there is no lock/unlock attribute, to lock an account is necessary set a specific profile for this cases, but to unlock the old profile should be reassigned. I will open a support case how you suggested!

Thanks for helping!

------------------------------
Wagner

Original Message:
Sent: 07-09-2020 11:44 AM
From: Kenneth Verrastro
Subject: Operation Binding - Force Sync Role

Not fully understanding what is you have configured.

Some things to consider which would impact behavior:

1. Is the profile field a single-valued or multi-valued attribute
2. Is the profile field set as a synchronized (i.e. capability) attribute
3. Whether the templates assigned are set as Weak Sync or Strong Sync templates
4. How the existing vs new value compare lexicographical

If others in the community cannot assist further then perhaps you will want to raise a support case so that a better understanding of the above can be taken into account along with log analysis.
Original Message:
Sent: 07-09-2020 11:04 AM
From: Wagner Reis
Subject: Operation Binding - Force Sync Role

Hi,

We having a problem with a connector jdbc. When an account is created is associated a provisioning role with a account template which include a profile X, but when we need to lock this account we use a  operation binding to send a update to database and change this profile in the endpoint to profile Y. When the user is unlocked it should lose the profile Y received before and receive the same profile X in provisioning role. We tried force an user role sync but did not work. Somebody know if is possible force or get the profile of provisioning role using operation binding?

Regards

------------------------------
Wagner
------------------------------

Hi Dmytry,

I undesrtood! I did some tests, I created an account, locked and unlocked the user but the profile did not change, but it just worked when I did the sync account with templates, after sync I could locked and unlocked and the profile changed according to provisioning role. I should like to do the sync automatic during the task execution without have to force manualy. Thanks for helping!

Regards

------------------------------
Wagner
------------------------------

Original Message:
Sent: 07-10-2020 02:04 AM
From: Dmytro Kvyatkovsky
Subject: Operation Binding - Force Sync Role

Hello Wagner,

Operation bindings are completely on connector side, while provisioning roles operate on IM server - provisioning server level, therefore you cannot access opbindings from prov roles.
As your profile is capable attribute, and account template configured with strong sync, synchronization should result in exact match of a profile on an account and on a template.
Please check the account after locking. Does it actually have a different profile, or it'd require re-explore to refresh its state. The difference between an account data in prov directory and on endpoint may be the cause.

Dmytry
Original Message:
Sent: 07-09-2020 12:08 PM
From: Wagner Reis
Subject: Operation Binding - Force Sync Role

Hi Kenneth,

The profile field is a multi-value attribute, it is set as a scynchronized attribute, and the account template is assigned as strong sync. In the endpoint there is no lock/unlock attribute, to lock an account is necessary set a specific profile for this cases, but to unlock the old profile should be reassigned. I will open a support case how you suggested!

Thanks for helping!

------------------------------
Wagner

Original Message:
Sent: 07-09-2020 11:44 AM
From: Kenneth Verrastro
Subject: Operation Binding - Force Sync Role

Not fully understanding what is you have configured.

Some things to consider which would impact behavior:

1. Is the profile field a single-valued or multi-valued attribute
2. Is the profile field set as a synchronized (i.e. capability) attribute
3. Whether the templates assigned are set as Weak Sync or Strong Sync templates
4. How the existing vs new value compare lexicographical

If others in the community cannot assist further then perhaps you will want to raise a support case so that a better understanding of the above can be taken into account along with log analysis.
Original Message:
Sent: 07-09-2020 11:04 AM
From: Wagner Reis
Subject: Operation Binding - Force Sync Role

Hi,

We having a problem with a connector jdbc. When an account is created is associated a provisioning role with a account template which include a profile X, but when we need to lock this account we use a  operation binding to send a update to database and change this profile in the endpoint to profile Y. When the user is unlocked it should lose the profile Y received before and receive the same profile X in provisioning role. We tried force an user role sync but did not work. Somebody know if is possible force or get the profile of provisioning role using operation binding?

Regards

------------------------------
Wagner
------------------------------