I have an misterious problem during the account aggregation. Every time I launch an account aggregation, within starts the identity attribute rules.
The application is the auth source and I have all global rule into the identity mapping.
The rules starts only if the aggrergation creates a new account.
Otherwise, I have 8 identity attribute with global rule but only for 4 of those 8 attribute, the rules starts. If I remove one from the mapping, starts the fifth.
I tried everything, like recreate application, task ecc…
I reviewd the configuration and I didnt find someone can explain this behavior.
This happens if one of the rules fails with an exception. It’s silently caught and the whole sequence aborts. Attribute value rules run in the order they’re defined in the ObjectConfig, so it’s probably the one listed fifth that’s failing somehow.
What I’d probably do is wrap your entire rules in a try/catch block and log out any exceptions, and then return the existing value, so at least things don’t change mysteriously.
My dubts is: why during the aggrergation starts the identity attribute rules? Those rules will be execute only on the identity refresh, not with aggrergation. Or I am wrong?
All aggregations are refreshes, actually. You can set any refresh flag on an aggregation and it will be applied just as in any refresh. Not all of them are exposed in the UI, but they all work. We usually do this to avoid having a slew of external Identity Refresh tasks in a sequence.
In particular, all aggregations ought to re-evaluate relevant identity attributes (application-specific or global rules), because any account update might result in an identity attribute change.
Usually the aggregations are not refreshed but, re-reading all documentation regarding application,task and aggregation, I discovered that IIQ launch all rule of all searchable attribute when an account of an authorititave source is created.