IdM 4.0.1, AD Driver package NOVLADENTEX 1.0.1 (also in 1.0.5)
Sub-Command, NOVLADENTEX-sub-ctp-EntitlementsImpl

I think I've encountered a bug in policy
NOVLADENTEX-sub-ctp-EntitlementsImpl. When the disable option is chosen
and a user's entitlement UserAccount is removed, the account is disabled
in AD, which is good. However, just as for the delete option,
attributes DirXML-ADAliasName and DirXML-ADContext are cleared and the
association is removed. I think that is not needed and even

It stops any further updates to the account in AD (in
NOVLADENTEX-sub-cp-EntitlementsImpl). A merge takes place when the
entitlement UserAccount is added again, so most attributes are synced
then. However, group memberships are not included

So, if the group membership of the user changed before regaining the
entitlement UserAccount, that change will not reach AD. The
corresponding change to the group could also not be provisioned
successfully, since the "Fixing up association references." step
resulted in a warning (user had no association).

The only solution to fix this afterwards is to "migrate" the group to AD
again (thereby adding missing users and removing superfluous ones).

Because of the above, I think clearing attributes DirXML-ADAliasName,
DirXML-ADContext and the association is wrong for the disable option.
Or am I missing something? Is there a good reason to do it that way?

bartvdb's Profile:
View this thread: