Policies for Reverse Synchronization
When an account is created or modified on an endpoint, reverse synchronization policies can take appropriate actions in response. For example, a user creates some Active Directory accounts in several OUs in the corporate domain. Also, the user modifies some Microsoft Exchange accounts. You can detect the new and changed accounts and provide appropriate actions as a response using reverse synchronization account policies.
cim1265
When an account is created or modified on an endpoint, reverse synchronization policies can take appropriate actions in response. For example, a user creates some Active Directory accounts in several OUs in the corporate domain. Also, the user modifies some Microsoft Exchange accounts. You can detect the new and changed accounts and provide appropriate actions as a response using reverse synchronization account policies.
You can do the following using reverse synchronization:
- Configure a policy to accept the new account, reject it, or send it for workflow approval.
- Configure a policy to accept a change to an attribute, revert it to the original attribute, or send it for workflow approval.
- When an account is sent for workflow approval, the approver can perform one of the following actions:
- Reject it (delete/suspend it from the endpoint or change the value to match the Identity Manager user store value)
- Accept it and update the Identity Manager user store to match the account
- Assign it to a user in User Console (in the case of account creation)
This page contains the following topics:
Create a Policy for New Accounts
If you want to define a process for when a new account is detected on an endpoint, you create an account policy that applies to new accounts. New account policies run when accounts are detected when the Correlate option is included in the Explore and Correlate definition. If an account was found when running explore only, the policy runs the next time the Correlate option is included when exploring that endpoint.
To create a policy for new accounts
- In the User Console, click Endpoints, or click Tasks, Endpoints.
- Reverse New, Create Reverse Sync New Account Policy.
- Enter a name and description for the policy.
- Enter the following parameters:
- Priority -- The priority of policy. The highest priority policy is the one with the lowest number. If two policies have the same priority and the same scope, either policy may run. Therefore, be sure to set different priority levels.
- Endpoint Type -- All endpoints or a specific endpoint type.
- Endpoint -- The specific endpoint name. If Endpoint Type is All, the only choice is All endpoints.
- Container -- The container where the account resides. This field applies only to hierarchical endpoints. Enter the container as a list of nodes, ending with the endpoint. For example, for an AD OU with the path "ou=child,ou=parent,ou=root,dc=domain,dc=name" the format "child,parent,root" is correct.
- Correlated User -- Controls when to run the policy based on if a correlated user is found in the Provisioning Directory.
- Select one of the following Actions:
- Accept -- Takes no action on the account. This choice would be useful if two policies exist, one that rejects all new accounts, and a higher priority policy that accepts accounts created under a certain OU. Therefore, if the account was created at that OU, it is accepted. The reject priority does not run since it has a lower priority.
- Delete -- Removes the account from the endpoint.
- Suspend -- Leaves the account in the endpoint, but suspends it.
- Send for Approval -- Submits the change for workflow approval.
- Perform the following steps if you set Action to Send for Approval:
- Click the icon next to Workflow Process.
- Choose a workflow process.
- Click OK.
- Click Submit.
If you assigned a workflow process to the policy, you need to create an approval task.
Create a Policy for Modified Accounts
Any account attribute in an endpoint account can be managed by Reverse Synchronization, as long as it is defined in the attribute mapping.
To define a process for when a discrepancy is found between existing endpoint accounts and their known values in Identity Manager, you can create an account policy that applies to existing accounts. If an attribute is multivalued, more than one value might have been added or removed. In this case, the policy is applied to each value separately or you can create different policies for different values.
To create a policy for modified accounts
- In the User Console, click Endpoints, pr Tasks, Endpoints.
- Click Reverse Modify, Create Reverse Sync Modify Account Policy.
- Enter a name and description for the policy.
- Enter the following parameters:
- Priority -- The priority of policy. The highest priority policy is the one with the lowest number. If two policies have the same priority and the same scope, either policy may run. Therefore, be sure to set different priority levels.
- Endpoint Type -- All endpoints or a specific endpoint type.
- Endpoint -- The specific endpoint name. If Endpoint Type is All, the only choice is All endpoints.
- Container -- The container where the account resides. This field applies only to hierarchical endpoints. Enter the container as a list of nodes, ending with the endpoint. For example, for an AD OU with the path "ou=child,ou=parent,ou=root,dc=domain,dc=name" the format "child,parent,root" is correct.
- Attribute -- The physical name.
- Value -- A string representation of the value, which may contain*(asterisk) as a wildcard. The wildcard refers to any value in the change.
- Select one of the following Actions:
- Accept -- Updates the account value in the Identity Manager user store to match the value in the endpoint account.
- Reject -- Reverts the attribute to reinstate the original value without affecting other changes to attributes for the account.
- Send for Approval -- Submits the change for workflow approval.
- Perform the following steps if you set Action to Send for Approval:
- Click the icon next to Workflow Process.
- Choose a workflow process.
- Click OK.
- Click Submit.
If you assigned a workflow process to the policy, you need to create an approval task.