Hi! I have an AD connector, with manager attribute in a Provisioning Policy in order to reflect identity manager change reflected in AD.
I have just configured, while solution is live since about a month. Manager updates performed in this time are not modifying AD account. Identity Profile refresh also not working, only works for new manager changes.
Is there some way to force?
Have you tried to run an unoptimized agg for that source?
When you update the manager attribute in Active Directory, you need to send the distinguished name (DN) of the Manager’s Active Directory account. Does your Create Account/Attribute Sync use an Identity Attribute that is populated with the DN?
Hi Carl, manager update is not treated directly from some identity attribute, that’s why is not in sync also. I use the ootb rule, for updating I have an update provisioning policy.
Problem that after the moment that I add the update provisioning policy, it works ok for new manager updates. But does not equalize previous identities with managers different from AD.
Provisioning Policies only run when the system is doing some sort of provisioning on an Identity. So it is working on your new manager updates, because some sort of provisioning is occuring on those accounts and then the Provisioning Policy kicks in.
But out of sync accounts won’t get updated until a provisioning event happens.
My recommendation would be to do the following:
{
"name": "Manager DN",
"type": "rule",
"attributes": {
"name": "Cloud Services Deployment Utility",
"operation": "getReferenceIdentityAttribute",
"uid": "manager",
"attributeName": "adDistinguishedName"
}
}