000038730 - Attribute Synchronization sometimes updates attributes with attribute variable names instead of attribute values in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 14, 2020Last modified by RSA Customer Support Employee on May 26, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038730
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1, 7.2.0
 
IssueAttribute Synchronization sometimes updates attributes with attribute variable names instead of attribute values in RSA Identity Governance & Lifecycle.

In the following example, Active Directory has two custom attribute fields that are updated by an Active Directory AFX connector when attribute synchronization detects one or both attributes have been modified via another collector type. These custom attributes are account attribute Employee_Status and user attribute Department. In AFX, their corresponding mapping variable names are ${Account.Employee_Status_ES} and ${User.Department}

Note: When defining custom attributes (Admin > Attributes), there is an Attribute Name and a Reference Name. These names can be different. In this case, the employee status Attribute Name is Employee_Status and the Reference Name is Employee_Status_ES. The reference name is used when mapping the attribute in AFX.
 
  1. Existing values in Active Directory prior to collection:

  • Employee_Status=Active
  • Department=Engineering

  1. After collection, a change in department is detected. The new department is Accounting.

After attribute synchronization, the expected result in Active Directory is:


  • Employee_Status=Active
  • Department=Accounting

The actual behavior is:


  • Employee_Status=${Account.Employee_Status_ES}
  • Department=Accounting

Note the Employee_Status has been updated with the custom attribute variable name rather than the field value which should have remained Active.


 
CauseThis problem occurs when:
  • There is more than one attribute defined for attribute synchronization but not all the attributes need to be updated. (In this case both attributes are defined in the attribute synchronization process but the Employee_Status attribute did not change and therefore did not need to be updated.)
  • The Attribute Name and Reference Name of the custom attribute are different. (In this case, the employee status Attribute Name is Employee_Status and the Reference Name is Employee_Status_ES.)
This is a known issue reported in engineering ticket ACM-102023.
 
ResolutionThis issue is resolved in RSA Identity Governance & Lifecycle 7.1.1 P07;
 
WorkaroundUse the same Attribute Name and Reference Name for custom attributes used in Attribute Synchronization.
 

Attachments

    Outcomes