How Users and Identity Policies Are Synchronized
When using identity policies, it is important to understand how CA Identity Manager evaluates and applies the policies to users. Without a thorough understanding of the user synchronization process, you may configure identity policy sets that yield unexpected results.
The following procedure describes how CA Identity Manager evaluates and applies identity policies:
- The user synchronization process begins:
- Automatically—You can configure CA Identity Managertasks to automatically trigger user synchronization
- Manually—Use the Synchronize User task in the User Console to synchronize a user.
- CA Identity Manager determines the set of identity policies that apply to a user.
- CA Identity Manager compares the set of identity policies that apply to a user with the list of policies that have already been applied to that user.
Note: The list of policies that have been applied to a user is stored in the %IDENTITY_POLICY% well-known attribute in the user profile. For information on configuring this attribute, see the Configuration Guide.
- If an identity policy is on the list of applicable policies, and the policy has not been applied to the user previously, then CA Identity Manager adds the policy to an allocation list.
- If an identity policy is on the list of applicable policies, the policy has been previously applied to the user, and the Apply Once setting for the policy is disabled, CA Identity Manager adds the policy to a reallocation list.
- An identity policy is not on the list of applicable policies, and the policy has been applied to the user, the user no longer matches the policy condition. CA Identity Manager adds these policies to a deallocation list.
- After CA Identity Manager evaluates all of the policies for a user, it applies policies in the following order:
- Identity policies from the deallocation list
- Identity policies from the allocation list
- Identity policies from the reallocation list
- After the identity policies have been applied, CA Identity Manager reevaluates the policies to see if any additional changes are needed based on changes that occurred in the first synchronization process (steps 2-4).
This is to ensure that changes made by applying identity policies did not trigger other identity policies.
- CA Identity Manager continues to reevaluate and apply identity policies until the user is synchronized with all applicable policies, or until CA Identity Manager reaches the maximum recursion level, which is defined in the Management Console.
For example, an identity policy may change a user's department when the user is assigned a role. The new department triggers another identity policy. However, if the recursion level is set to 1, the subsequent change is not made until the user is synchronized again.
For more information about setting the recursion level, see the Management Console Online Help.
Copyright © 2015 CA Technologies.
All rights reserved.