Attribute Synchronization sometimes updates attributes with attribute variable names instead of attribute values in RSA Identity Governance & Lifecycle
Originally Published: 2020-04-14
Article Number
Applies To
RSA Version/Condition: 7.1.1, 7.2.0
Issue
In the following example, Active Directory has two custom attribute fields that are updated by an Active Directory AFX connector when attribute synchronization detects one or both attributes have been modified via another collector type. These custom attributes are account attribute Employee_Status and user attribute Department. In AFX, their corresponding mapping variable names are ${Account.Employee_Status_ES} and ${User.Department}.
Note: When defining custom attributes (Admin > Attributes), there is an Attribute Name and a Reference Name. These names can be different. In this case, the employee status Attribute Name is Employee_Status and the Reference Name is Employee_Status_ES. The reference name is used when mapping the attribute in AFX.
- Existing values in Active Directory prior to collection:
- Employee_Status=Active
- Department=Engineering
- After collection, a change in department is detected. The new department is Accounting.
After attribute synchronization, the expected result in Active Directory is:
- Employee_Status=Active
- Department=Accounting
The actual behavior is:
- Employee_Status=${Account.Employee_Status_ES}
- Department=Accounting
Note the Employee_Status has been updated with the custom attribute variable name rather than the field value which should have remained Active.
Cause
- There is more than one attribute defined for attribute synchronization but not all the attributes need to be updated. (In this case both attributes are defined in the attribute synchronization process but the Employee_Status attribute did not change and therefore did not need to be updated.)
- The Attribute Name and Reference Name of the custom attribute are different. (In this case, the employee status Attribute Name is Employee_Status and the Reference Name is Employee_Status_ES.)
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P07
- RSA Identity Governance & Lifecycle 7.2.0 P02
Workaround
Related Articles
Security Domains Number of Views Creating Multiple Requests and Archiving Requests Number of Views Modifying Group Membership in an LDAP Directory Number of Views Multiple entitlements in RSA Identity Governance and Lifecycle cause supervisor approval to fail with ORA-22275: invalid L… Number of Views CSV Format for User Group Membership Requests Input File Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
