Synchronizing Users, Accounts, and Roles
AThe integration of multiple endpoints and accounts into a single user management system can result in a loss of synchronization. The provisioning roles or account templates that are assigned to a user can differ from the actual accounts that exist for that user.
For example, consider a situation with two provisioning roles, one with Active Directory and UNIX account templates and another role with SAP and Oracle templates. The user john_smith has Provisioning Role A, which contains Active Directory and UNIX account templates, but that user only has an Active Directory account. Possibly the UNIX account template was added to the role after it was assigned to the user. Therefore, the administrator synchronizes the user with the current role definition.
The following situations are other reasons why users lose synchronization with provisioning roles or account templates:
- Earlier attempts to create the necessary accounts failed due to hardware or software problems in your network, causing missing accounts.
- Provisioning roles and account templates change, creating extra or missing accounts.
- Accounts were assigned to account templates after they were created, so accounts exist, but they are not synchronized with their account templates.
- The creation of a new account is delayed because the account was specified to be created later.
- A new endpoint was acquired. During exploration and correlation, the Provisioning Server did not assign provisioning roles to the users automatically. You update the role to indicate the users who require accounts on the endpoint. Any account that was correlated to a user is listed as an extra account when the user is synchronized.
- An existing account was assigned to a user by copying the account to the user.
- An account was created for a user other than by assigning the user to a role. For example, you copied a user to an account template that is not in a provisioning role for that user. The account is listed as an extra account or as an account with an extra account template. If you copy the user to an endpoint to create an account using the default account template, that account could be an extra account.
The following sections explain how to perform the three types of synchronization:
- Synchronize user with roles.
- Synchronize user with account templates.
- Synchronize endpoint account with account templates.
Copyright © 2012 CA.
All rights reserved.