How Reverse Synchronization Works
Reverse synchronization with endpoint accounts occurs as follows:
- An administrator or a malicious user creates or modifies an account on an endpoint.
- When Explore and Correlate runs on that endpoint, the new or modified account is detected.
- The Provisioning Server sends a notification to the CA IdentityMinder server.
- The CA IdentityMinder server searches for a reverse synchronization policy that matches the change on the endpoint.
- If a matching policy is found, it executes. If more than one policy applies to this account and those policies have the same scope, the highest priority policy runs.
- Depending on the policy, one of the following actions occurs:
- For a new account, the policy accepts, deletes, or suspends the account or sends it for workflow approval.
- For a modified account, the policy accepts the value, reverts it to the last known value, or sends it for workflow approval.
- If workflow is selected, a new event for the workflow is generated and the approvers are set. Then, one of the following actions occurs:
- For a new account, the approver can accept, delete, or suspend the account or assign it to a user.
- For a modified account, the workflow process is the same as if the value was changed in the User Console, except that rejected values are reverted at the endpoint.
Copyright © 2012 CA.
All rights reserved.