How Users and Identity Policies Are Synchronized
When using identity policies, it is important to understand how CA IdentityMinder evaluates and applies the policies to users. Without a thorough understanding of the user synchronization process, you may configure identity policy sets that yield unexpected results.
The following procedure describes how CA IdentityMinder evaluates and applies identity policies:
- The user synchronization process begins:
- Automatically—You can configure CA IdentityMindertasks to automatically trigger user synchronization
- Manually—Use the Synchronize User task in the User Console to synchronize a user.
- CA IdentityMinder determines the set of identity policies that apply to a user.
- CA IdentityMinder compares the set of identity policies that apply to a user with the list of policies that have already been applied to that user.
Note: The list of policies that have been applied to a user is stored in the %IDENTITY_POLICY% well-known attribute in the user profile. For information on configuring this attribute, see the Configuration Guide.
- If an identity policy is on the list of applicable policies, and the policy has not been applied to the user previously, then CA IdentityMinder adds the policy to an allocation list.
- If an identity policy is on the list of applicable policies, the policy has been previously applied to the user, and the Apply Once setting for the policy is disabled, CA IdentityMinder adds the policy to a reallocation list.
- An identity policy is not on the list of applicable policies, and the policy has been applied to the user, the user no longer matches the policy condition. CA IdentityMinder adds these policies to a deallocation list.
- After CA IdentityMinder evaluates all of the policies for a user, it applies policies in the following order:
- Identity policies from the deallocation list
- Identity policies from the allocation list
- Identity policies from the reallocation list
- After the identity policies have been applied, CA IdentityMinder reevaluates the policies to see if any additional changes are needed based on changes that occurred in the first synchronization process (steps 2-4).
This is to ensure that changes made by applying identity policies did not trigger other identity policies.
- CA IdentityMinder continues to reevaluate and apply identity policies until the user is synchronized with all applicable policies, or until CA IdentityMinder reaches the maximum recursion level, which is defined in the Management Console.
For example, an identity policy may change a user's department when the user is assigned a role. The new department triggers another identity policy. However, if the recursion level is set to 1, the subsequent change is not made until the user is synchronized again.
For more information about setting the recursion level, see the Management Console Online Help.
Copyright © 2012 CA.
All rights reserved.