      We have a mapping (AD -> managed user) that updates the manager field. If we don't update the manager field in AD and run a recon the manager field is still seen as changed causing unnecessary syncs to target systems.

      To test this you could create a simple CSV Connector and add a mapping to the manager field with this:

      var manager =

      {"_ref" : "managed/user/96a95c79-140c-48b8-9152-29974c9e3f71"}


      (of course 96a95c79-140c-48b8-9152-29974c9e3f71 references to a single user).

      To log that OpenIDM sees this a a change use the following script on the onUpdate trigger of managed user:

      require('ui/onUpdateUser').preserveLastSync(object, oldObject, request);require('roles/conditionalRoles').updateConditionalGrantsForUser(object, 'roles');logger.error("UPDATING" + object.userName);

      You will see that on every recon the logs message shows. When we do the same for another attribute (for instance mail) the log message does not show.

      We already found a workaround for this by checking on the conditional update script if the manager we are going to set is the same as the manager we already have.

      We would like to prevent this workaround, checking if an attribute is different should be the job of OpenIDM...

      In our actual implementation the Manager attribute comes from Active Directory and since we have lifeSync enabled for our Active Directory and also a mapping from managed user to active directory this causes an update loop.

      e.g. Active Directory has a change -> lifeSync updates OpenIDM -> OpenIDM updates Active Directory -> lifeSync from Active Directory updates OpenIDM.
      In normal circumstance the update loop should now stop because there are no changes in OpenIDM however because the manager attribute is always seen as a change the chain continues with OpenIDM updates Active Directory -> lifeSync from Active Directory updates OpenIDM -> OpenIDM updates Active Directory -> etc...


