Previous Topic: Manage an Identity Policy SetNext Topic: Configure Automatic User Synchronization


How Users and Identity Policies Are Synchronized

When using identity policies, it is important to understand how CA Identity Manager evaluates and applies the policies to users. Without a thorough understanding of the user synchronization process, you may configure identity policy sets that yield unexpected results.

The following procedure describes how CA Identity Manager evaluates and applies identity policies:

  1. The user synchronization process begins:
  2. CA Identity Manager determines the set of identity policies that apply to a user.
  3. CA Identity Manager compares the set of identity policies that apply to a user with the list of policies that have already been applied to that user.

    Note: The list of policies that have been applied to a user is stored in the %IDENTITY_POLICY% well-known attribute in the user profile. For information on configuring this attribute, see the Configuration Guide.

  4. After CA Identity Manager evaluates all of the policies for a user, it applies policies in the following order:
    1. Identity policies from the deallocation list
    2. Identity policies from the allocation list
    3. Identity policies from the reallocation list
  5. After the identity policies have been applied, CA Identity Manager reevaluates the policies to see if any additional changes are needed based on changes that occurred in the first synchronization process (steps 2-4).

    This is to ensure that changes made by applying identity policies did not trigger other identity policies.

  6. CA Identity Manager continues to reevaluate and apply identity policies until the user is synchronized with all applicable policies, or until CA Identity Manager reaches the maximum recursion level, which is defined in the Management Console.

    For example, an identity policy may change a user's department when the user is assigned a role. The new department triggers another identity policy. However, if the recursion level is set to 1, the subsequent change is not made until the user is synchronized again.

    For more information about setting the recursion level, see the Management Console Online Help.

More information:

Configure Automatic User Synchronization

Synchronize Users Manually

Verify User Synchronization