Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-7223

Reconciliation always detects manager field as modified

    Details

    • Sprint:
      OpenIDM Sprint 71 Mezzo, OpenIDM Sprint 72 Mezzo
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      We have a mapping (AD -> managed user) that updates the manager field. If we don't update the manager field in AD and run a recon the manager field is still seen as changed causing unnecessary syncs to target systems.

      To test this you could create a simple CSV Connector and add a mapping to the manager field with this:

      var manager =

      {"_ref" : "managed/user/96a95c79-140c-48b8-9152-29974c9e3f71"}

      ;
      manager

      (of course 96a95c79-140c-48b8-9152-29974c9e3f71 references to a single user).

      To log that OpenIDM sees this a a change use the following script on the onUpdate trigger of managed user:

      require('ui/onUpdateUser').preserveLastSync(object, oldObject, request);require('roles/conditionalRoles').updateConditionalGrantsForUser(object, 'roles');logger.error("UPDATING" + object.userName);

      You will see that on every recon the logs message shows. When we do the same for another attribute (for instance mail) the log message does not show.

      We already found a workaround for this by checking on the conditional update script if the manager we are going to set is the same as the manager we already have.

      We would like to prevent this workaround, checking if an attribute is different should be the job of OpenIDM...

      In our actual implementation the Manager attribute comes from Active Directory and since we have lifeSync enabled for our Active Directory and also a mapping from managed user to active directory this causes an update loop.

      e.g. Active Directory has a change -> lifeSync updates OpenIDM -> OpenIDM updates Active Directory -> lifeSync from Active Directory updates OpenIDM.
      In normal circumstance the update loop should now stop because there are no changes in OpenIDM however because the manager attribute is always seen as a change the chain continues with OpenIDM updates Active Directory -> lifeSync from Active Directory updates OpenIDM -> OpenIDM updates Active Directory -> etc...

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jason.vincent jason vincent
                Reporter:
                mark.offutt Mark Offutt
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: