User with roles synchronization can also be used to remove extra account templates from an account. This is only done if you select the delete option. When user synchronization determines that an account needs to be updated to remove one or more extra account templates, account synchronization is run automatically on the account to synchronize its capability attributes with the account templates remaining on the account.
This account synchronization that occurs when removing account templates from an account will use strong synchronization if any of the remaining account templates is marked for strong synchronization and weak synchronization if all of the remaining account templates are marked for weak synchronization.
Whether weak or strong synchronization is used affects whether account capabilities granted earlier when an account template was assigned to an account are taken away when that that account template is later removed. With strong synchronization, a capability granted by an account template, such as a group membership or higher quota, will be taken away (group membership removed or quota lowered) if none of the account templates remaining on the account prescribe that capability. However, with weak synchronization, typically the account is unchanged because the Provisioning Server does not distinguish between on-demand extra capabilities and capabilities granted through account templates.
The exception to this rule is for certain multivalued capability attributes designated as SyncRemoveValues attributes. A simple multivalued attribute representing a collection of values assigned to the account (a group membership list, say), will typically be listed as a SyncRemoveValues attribute. For these attributes, the weak synchronization action that occurs while removing an account template from an account will remove values prescribed by the account template that is being removed - as long as that value is not also prescribed by one of the remaining account templates.
For example, if you create your account templates where each account template assigns a unique group membership to your account, this SyncRemoveValues feature will mean that when you change a global user's provisioning roles so as to no longer require a particular account template, the account will be updated to no longer belong to the group prescribed by that account template. You will note that this is not exactly the same as strong synchronization, as group memberships given to accounts beyond what is prescribed to account templates are retained.
For all single-valued attributes and certain multivalued attributes which are not designated as SyncRemoveValues attributes, the weak synchronization action while removing an account template from an account is the same as a normal weak synchronization action - capabilities are never removed.
If you want the capabilities never to be removed by weak synchronization, disable the SyncRemoveValues feature by setting the domain configuration parameter Synchronize/Remove Account Template Values from Accounts to No.
|
Copyright © 2013 CA.
All rights reserved.
|
|