Previous Topic: How Reverse Synchronization Works

Next Topic: Policies for Reverse Synchronization


Map Endpoint Attributes

To use reverse synchronization on an attribute in an endpoint account, you first map it to an attribute visible in the User Console. Some attributes, such as account name and password, are mapped by default. Other attributes are not mapped. For example, the Active Directory attribute group membership is not mapped. For some endpoint types, no attributes are mapped.

To check if the attribute can be mapped

  1. In the User Console, click Endpoints, Reverse Modify, Create Reverse Sync Modified Account Policy.
  2. Choose to create a new policy or a copy of a policy.
  3. Click Endpoint Type and choose an endpoint, such as Active Directory.
  4. Click Attribute Name to display a list of attributes that can be mapped.
  5. Click Cancel.

    You cancel the policy because you are only using it now to check which attributes can be mapped.

Important! You can manage certain attributes only by native tools on the endpoint. So if an endpoint user modifies this type of attribute, the reverse event fails when the reverse synchronization policy is triggered. However, changes to other attributes in that reverse event are not reversed. Therefore, avoid mapping attributes that can only be managed on the endpoint.

To map endpoint attributes for reverse synchronization

  1. Click Endpoints, Modify Endpoint.
  2. Search for and select an endpoint that requires reverse synchronization.
  3. Click the Attribute Mapping tab.
  4. Select Use Custom Settings.
  5. Click Add to add a new custom attribute.
  6. Select an available custom attribute. For example, use CustomField 10 if it is not used in your environment.
  7. Map the custom attribute to the account attribute name that you want to manage.
  8. Repeat Steps 5 to 7 to add mappings between all account attributes required and the custom attribute selected.

    You can use the same custom attribute (CustomField 10 in our example) for all attributes you want to manage.

  9. Click Submit.

To create baseline values for this endpoint

Once all values for an endpoint are mapped, you explore the endpoint. For this operation, you disable inbound notification and enable it after the explore completes. Disabling notification eliminates notifications that are unnecessary. Otherwise, every account that has values on the new attributes would generate a notification during the explore operation.

  1. In Provisioning Manager, disable inbound notification as follows:
    1. Click System, Domain configuration, CA IdentityMinder Server, Enable Notification.
    2. Select No.
    3. Restart the Provisioning Server to make sure the change takes effect.
  2. In the User Console, click Endpoints, Execute Explore and Correlate.

    Choose an explore and correlate definition that has correlation deselected.

    This action repopulates the user store attributes with the new endpoint attribute data. This task may take a while if the endpoint is large.

  3. Reenable inbound notification in Provisioning Manager.
  4. Restart the Provisioning Server.

At the next explore and correlate operation for that endpoint, modify account notifications are generated. Notifications are generated if a change occurred for an attribute that is mapped to a global user attribute and a policy applies to that attribute.

More information:

Capability and Initial Attributes