Hi Gilles, it sounds the join directive which set the precedence of the policies when there are more than one, provisioning different values for same attribute.
Although by default in multivalue atributes, like groups, the join directive is set as union (both groups will be provisioned), it seems to be working as priority (the highest priority policy - less value, has precedence, in your case, policy linked to role B)
I hope it helps
------------------------------
Felipe Risalde Serrano
Security Expert
Banco de España
------------------------------
Original Message:
Sent: Tue May 02, 2023 04:56 AM
From: Gilles Mahout
Subject: Swapping roles with same service in ISIM not possible?
We are using Security Identity Manager V7.0.2 for provisioning services based on roles to users. The issue we are having is when we have 2 roles with the same service but different parameters. For example , we have 2 roles:
- Role A provisioning an AD account with specific AD groups to an AD server,
- Role B provisioning an AD account but with different AD groups to the same AD server.
If an user has Role A and we changed it to Role B then submit the change, AD groups didn't get changed. But if we remove Role A, submit, then add Role B and submit, everything is working fine. Could it be an issue with the AD configuration of the agent on the AD server, or a limitation from ISIM?
thanks!
Gilles
------------------------------
Gilles Mahout
Pirean
Fareham
------------------------------