Synchronize Endpoint Accounts with Account Templates

This task synchronizes an endpoint account after modification of an associated account template. For example, perhaps an Active Directory account has no groups, but the associated account template is defined to include groups.
cim1265
This task synchronizes an endpoint account after modification of an associated account template. For example, perhaps an Active Directory account has no groups, but the associated account template is defined to include groups.
Follow these steps:
  1. Log in to the User Console.
  2. Select Tasks, Endpoints, Manage Endpoints, Check Endpoint Account Synchronization.
  3. Select an endpoint.
    A screen appears showing accounts on that endpoint, associated account templates, and which attributes are not synchronized.
  4. Click Synchronize to make the attributes for those accounts match what is defined in the account template.
    Changes that you make to account templates affect existing accounts as follows:
    • If you change the value of a capability attribute, the corresponding account attribute is updated to be synchronized with the account template attribute value. See the description of weak and strong synchronization.
    • Certain account attributes are designated by the connector as not being updated on account template changes. Examples include certain attributes that the endpoint type allows to be set only during account creation, and the Password attribute.
This page contains the following additional topics:
Which Attributes are Updated
When you change capability attributes in an account template, the corresponding attribute on the accounts change. This change has an impact on the attributes for the account. The impact is based on the following factors:
  • Whether the account template is defined to use weak or strong synchronization.
  • Whether the account belongs to multiple account templates.
Weak Synchronization
Weak synchronization
ensures that users have the minimum capability attributes for their accounts. Weak synchronization is the default in most endpoint types. If you update a template that uses weak synchronization, CA IdentityMinder updates capability attributes as follows:
  • If a number field is updated in an account template and the new number is greater than the number in the account, CA IdentityMinder changes the value in the account to match the new number.
  • If a check box was not selected in an account template and you subsequently select it, CA IdentityMinder updates the check box on any account where the check box is not selected.
  • If a list is changed in an account template, CA IdentityMinder updates all accounts to include any value from the new list that was not included in the account's list of values.
If an account belongs to other account templates (whether those templates use weak or strong synchronization), CA IdentityMinder consults only the template that is changing. This action is more efficient than checking every account template. Because weak synchronization only adds capabilities to accounts, it generally is not necessary to consult those other account templates.
When propagating from a weak synchronization account template, changes that would remove or lower capabilities could leave some accounts unsynchronized. Remember that with weak synchronization, capabilities are never removed or lowered. Without consulting other templates for an account, the propagation does not consider if weak synchronization is sufficient.
In this situation, use Synchronize Users with Account Templates to synchronize the account with its account templates.
Strong Synchronization
Strong synchronization ensures that accounts have the exact account attributes that are specified in the account template.
For example, suppose that you add a group to an existing UNIX account template. Originally, the account template made accounts members of the Staff group. Now, you want to make the accounts members of both the Staff and System groups. All accounts that are associated with the account template are considered synchronized when each account is a member of the Staff and System groups (and no other groups). Any account not in the Staff group is added to both groups.
Some other factors to consider include the following situations:
  • If the account template uses strong synchronization, any account belonging to groups, other than Staff and System, are removed from those extra groups.
  • If the account template uses weak synchronization, the accounts are added to the Staff and System groups. Any account that has additional groups that are defined to it remains a member of these groups.
Note:
Synchronize accounts with their templates regularly to ensure that the accounts stay synchronized with their account templates.
Accounts with Multiple Templates
Synchronization also depends on whether the account belongs to more than one account template. If an account has only one account template and that template uses strong synchronization, each attribute is updated to exactly match what the account template attribute value evaluates to. The result is the same as if the attribute were an initial attribute.
An account may belong to multiple Account Templates, as would be the case if a user belonged to multiple provisioning roles each of which prescribed some level of access on the same managed endpoint. When this happens, CA IdentityMinder combines those account templates into one effective account template that prescribes the superset of the capabilities from the individual account templates. This account template is itself considered to use weak synchronization if all its individual account templates are weak or strong synchronization if any of the individual account templates is strong.
Note:
Often you use only weak synchronization or only strong synchronization for the account templates controlling one account, depending on whether your company's roles completely define the accesses your users need. If your users do not fit into clear roles and you need the flexibility to grant additional capabilities to your user's accounts, use weak synchronization. If you can define roles to exactly specify the accesses your users need, use strong synchronization.
The following example demonstrates how multiple account templates are combined into a single effective account template:  One account template is marked for weak synchronization and the other for strong synchronization. Therefore, an effective account template is created by combining the two account templates.  The combined template is treated as a strong synchronization account template. The integer Quota attribute takes on the larger value from the two account templates, and the multivalued Groups attribute takes on the union of values from the two polices.
Example demonstrating how multiple account templates are combined into a single effective account template
Note:
For more information about Strong vs. Weak synchronization, see this article.